SSL not working

[0xinyz]

I've installed OpenLiteSpeed + WordPress from this Docker build, on an AWS EC2 instance.
https://hub.docker.com/r/litespeedtech/openlitespeed

I managed to get WordPress working. But the SSL install, using ACME as that page describes, didn't work.

ubuntu@ip-172-31-2-130:~/ols-docker-env$ ./bin/acme.sh --domain extensible.ml
[Start] Checking ACME
[End] Checking ACME
[O] The domain name extensible.ml is accessible.
[O] The domain name www.extensible.ml is accessible.
[X] The document root folder /var/www/vhosts/extensible.ml/html does not exist!

This Docker build's default web directory is

/home/ubuntu/ols-docker-env/sites/localhost/html

(which running inside the container's filesystem by running

docker exec -it ols-docker-env_litespeed_1 bash

maps to

/var/www/vhosts/localhost/html

)

I also tried getting one manually though LetsEncrypt using `certbot`, following these
https://openlitespeed.org/kb/ssl-setup/
https://openlitespeed.org/kb/lets-encrypt-ssl-on-openlitespeed/

It successfully gave me both a certificate and keyfile

/etc/letsencrypt/live/extensible.ml/fullchain.pem

/etc/letsencrypt/live/extensible.ml/privkey.pem

And I went to the WebAdmin dashboard, under listeners, under HTTPS, and added the path of those two in the private key & certificate file fields (following those docs).
I tried adding the HTTPS listener to the "Example" virtual host, and tried without.
As well as checked all the boxes for "protocol version" (e.g. SSL v3.0, TLS v1.0, etc.) as other docs online suggested, and tried without them.

Nothing's worked yet. Traffic on HTTP works fine, but nothing does on HTTPS yet.
Any attempt is blocked (refused to connect), and no firewalls are in place to prevent incoming traffic (by means of ufw, or EC2 security groups.)

Any hints?
Thanks

 

[0xinyz]

Solved it. I originally installed OLS with the Docker image by using the command

bash bin/demosite.sh

. But that gave the error that the document root folder doesn't exist, as listed above.

But when I install WordPress by running

bash bin/domain.sh [-A, --add] example.com

instead, it worked when I tried to run the acme script to get SSL installed. So don't install using demosite.sh in order for the acme SSL script to work.

 

[Unique_Eric]

Hi @Oxilion

That happens because you did not update the domain name from the .env file before running the demo script.
https://github.com/litespeedtech/ols-docker-env/blob/master/.env#L8
If you update it then run the demo script, the new domain folder will be generated automatically.

Best,
Eric

 

[0xinyz]

Hi @Oxilion

That happens because you did not update the domain name from the .env file before running the demo script.
https://github.com/litespeedtech/ols-docker-env/blob/master/.env#L8
If you update it then run the demo script, the new domain folder will be generated automatically.

Best,
Eric

Thanks @Unique_Eric

One more question about ACME, can I use this to generate a wildcard SSL cert?
Would it be as simple as

$ bin/acme.sh --domain *.example.com

or something else...

I've setup WP multisite, and creating new sub-sites through its frontend doesn't create a vhost for each site. So a wildcard is necessary in that case, since I can't create a cert the usual way for each subdomain (i.e. sub1.example.com), as that'd require creating a vhost first for it.

 

[Unique_Eric]

Hi,

Current built-in command is not support wildcard.

./bin/acme.sh [-D, --domain] example.com

Please access into the docker container and manually run the acme wildcard cert apply command.
In general, you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

/root/.acme.sh/acme.sh --issue -d yourdomain.tld -d *.yourdomain.tld --dns

Check acme doc for more manual information.

Let us know if it works.

Best,
Eric

 

[0xinyz]

I ended up getting it working by running this (inside the container's session)

root@c2a4f4451405:/var/www/vhosts# /root/.acme.sh/acme.sh --issue -d extensible.ml -d '*.extensible.ml' --dns dns_cf

(found the 'dns_cf after the --dns flag is from their github wiki)

Added the TXT record to Route 53, re-ran the previous line with a '--renew' flag after waiting for it to propagate, and restarted all containers to notice the change.

Thanks

 

[Unique_Eric]

Thanks for sharing.

One more thing. Since you ran the command manually, you might want to add a web server restart hook to the cronjob.
e.g. Access to the container and run

/usr/local/bin/certhookctl.sh