LS 5.3.6 - letsencrypt cert renews, but lsws keeps serving old cert until graceful restart

c0ldshadow

Well-Known Member
#1
Hi, I'm on LS 5.3.6. One of my letsencrypt certs expired yesterday but successfully renewed via certbot renew. Everything worked correctly from certbot...

However, my website kept serving the old/invalid cert until I manually logged in to lsws console and did a graceful restart.

Is this a known issue? Please advise if any suggestions or if need any other logs/etc to troubleshoot

Thanks!!

-Avery
 

Pong

Administrator
Staff member
#2
You should add service lsws restart after your ssl cerrificate renew/change to let server to pick up the change.
 
Last edited by a moderator:

imkh

New Member
#3
You should add service lsws restart after your ssl cerrificate renew/change to let server to pick up the change.
Can you please elaborate? Where do we add "service lsws restart" so it happens automatically when CertBot renews the certificate?
 

Unique_Eric

Administrator
Staff member
#4
Hi,

If there's no control panel to handle it, you edit /etc/cron.d/certbot , and add --deploy-hook "/usr/local/lsws/bin/lswsctrl restart" hook to the end of the default certbot command.

Best,
Eric
 

Unique_Eric

Administrator
Staff member
#6
Hi,

OpenliteSpeed control panel only provide web server setup. Please add the previous suggestion to get the certbot renew.

Best
 

imkh

New Member
#7
Hi,

OpenliteSpeed control panel only provide web server setup. Please add the previous suggestion to get the certbot renew.

Best
Oh weird, I just checked /etc/cron.d/certbot and it already had that restart command. I wonder why it still needed a manual restart? Odd.
 
#8
I'm in the same situation, /etc/cron.d/certbot is correctly configured, the certificate is being renewed by certbot but the server doesn't restart. I have to manually login & restart the server. If I don't the website keep serving the old certificate (although certbot has already renew it).

I'have also tried to add a certbot post hook but with no success..
 

Unique_Eric

Administrator
Staff member
#9
Hi,

Do you see any restart log shows in /usr/local/lsws/logs/lsrestart.log if you run the whole command manually, e.g.
Code:
certbot renew -q --deploy-hook 'systemctl restart lsws'
If failed, please check if there's any useful message in "/var/log/letsencrypt/letsencrypt.log"

Best,
Eric
 
#10
Hi,

No restart logs other than the ones I did manually

Bash:
certbot renew...
=> no renewal failures, Cert not yet due for renewal

I'm sure it's pretty dumb

This is on a DigitalOcean with a pre-made OLS image/droplet

edit: I'll try the
Bash:
certbot renew...
with the force option
 

Unique_Eric

Administrator
Staff member
#11
Right, the deploy hook only works if renew success, so you might need to use force-renew or dry-run to trigger it.

How about post hook, https://certbot.eff.org/docs/using.html?highlight=renew#pre-and-post-validation-hooks
But I feel post hook is not ideal, even worse than a cron to restart lsws per three days.

The certbot post issue happens before, but not in many cases. Please let us know what you got so we can improve it or maybe not to use the --deploy-hook.
 
#12
Hi Eric,

I got it working with `certbot renew -q --deploy-hook 'systemctl restart lsws'` !

I think I need to update my cron to use "systemctl restart lsws" instead of "/usr/local/lsws/bin/lswsctrl restart", I'm not sure why the latter does not work... Maybe it's not being run by the correct user ?

Thanks you for the support :)
 

qtwrk

Well-Known Member
#13
Hi Eric,

I got it working with `certbot renew -q --deploy-hook 'systemctl restart lsws'` !

I think I need to update my cron to use "systemctl restart lsws" instead of "/usr/local/lsws/bin/lswsctrl restart", I'm not sure why the latter does not work... Maybe it's not being run by the correct user ?

Thanks you for the support :)

it's some update in systemd

in "ancient" time , systemd doesn't "care" who started the process and it just takes control of it

but in recent (like a year ago?) systemd update , it only "take care" process started by systemd

by that means , if you run `lswsctrl start`, then `systemctl stop/restart lsws` , it won't work , as the intial start up was not done by systemd , it will throw wanring and ignore the action.
 
#14
I have this same exact issue from digitalocean droplets preinstalled with litespeed. Two different servers did the same exact thing. The cert renewed but lsws failed to restart.
 

Unique_Eric

Administrator
Staff member
#15
Please try the following commands, next time cert renew should restart LSWS successfully.

Code:
/usr/local/lsws/bin/lswsctrl stop >/dev/null
systemctl stop lsws >/dev/null
systemctl start lsws >/dev/null
 
#19
Hi,

I am having the exact same issue. Certificate renews fine but LSWS doesn't restart.

/etc/cron.d/certbot has this in it which appears to be correct.

Code:
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook "systemctl restart lsws"
Please help
 
#20
I'm having the same issue and it's been going on for about a year. I have a few threads addressing it on the Letsencrypt forum too (Browsers not picking up new SSL certificates).

I do have an error in my debug log /var/log/letsencrypt/letsencrypt.log

Code:
2021-02-26 00:28:09,136:ERROR:certbot.hooks:Hook command "/usr/local/lsws/bin/lswsctrl reload" returned error code
2
What does this mean? How can I fix it?
 
Top