Unexpected replacement of Let’s Encrypt Certificates with self-signed Litespeed Certificates after upgrade

[krlabs]

After upgrade OLS to 1.8 branch by lsup.sh, i unexpectedly saw, that my active and valid Lets Encrypt сertificate for domain mail.kr-labs.com.ua was changed with Litespeed self-signed cert.

The paths to VirtualHost and Listener SSL were saved, but for some reason the content of the LE certificate itself was replaced with a self-signed Litespeed certificate:

/etc/letsencrypt/live/mail.kr-labs.com.ua/fullchain.pem

openssl s_client -connect mail.kr-labs.com.ua:995 -showcerts
CONNECTED(00000003)
depth=0 CN = kr-labs.com.ua, C = US, L = Virtual, O = LiteSpeedCommunity, OU = Testing, ST = NJ, emailAddress = mail@kr-labs.com.ua, name = openlitespeed, initials = CP, dnQualifier = openlitespeed
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = kr-labs.com.ua, C = US, L = Virtual, O = LiteSpeedCommunity, OU = Testing, ST = NJ, emailAddress = mail@kr-labs.com.ua, name = openlitespeed, initials = CP, dnQualifier = openlitespeed
verify return:1
---
Certificate chain
0 s:/CN=kr-labs.com.ua/C=US/L=Virtual/O=LiteSpeedCommunity/OU=Testing/ST=NJ/emailAddress=mail@kr-labs.com.ua/name=openlitespeed/initials=CP/dnQualifier=openlitespeed
   i:/CN=kr-labs.com.ua/C=US/L=Virtual/O=LiteSpeedCommunity/OU=Testing/ST=NJ/emailAddress=mail@kr-labs.com.ua/name=openlitespeed/initials=CP/dnQualifier=openlitespeed

When i review my actual cert with Certbot, he explain me this:

sudo certbot certificates
Renewal configuration file /etc/letsencrypt/renewal/mail.kr-labs.com.ua.conf produced an unexpected error: fullchain does not match cert + chain for mail.kr-labs.com.ua!. Skipping.

I solved this problem by deleting all dirs with LE certificates and reissuing their with Certbot. But why does OLS interfere with the integrity of the LetsEncrypt files and change them? It could have created a separate file with a self-signed certificate.

Explain to me if I have missed any points.

 

[Cold-Egg]

May I know if you use a valid cert on the listener or virtual host SSL level? OLS won't touch the certificate files, it seems the site is using OLS default self-signed certificate for some reason. I can't reproduce the issue locally. If you can, please submit the issue to support@litespeedtech.com with this forum post link appended for further checking.

 

[krlabs]

May I know if you use a valid cert on the listener or virtual host SSL level? OLS won't touch the certificate files, it seems the site is using OLS default self-signed certificate for some reason. I can't reproduce the issue locally. If you can, please submit the issue to support@litespeedtech.com with this forum post link appended for further checking.

The certificate was valid, until December 2024. It was used for the Virtual host mail.kr-labs.com.ua, but at the same time it was listed as the primary certificate for the SSL Listener. Both contained paths to a valid LetsEncrypt certificate /etc/letsencrypt/live/... They were not changed or modified in any way. Perhaps this happened because the certbot renew mechanism for automatically updating certificates was not enabled or correctly configured. But still, the OLS system was not allowed to overwrite the contents of the LE certificate.

 

[krlabs]

We have already reissued the certificate and the problem has been fixed, but I will still write to support about it. It might be a bug.

 

[Cold-Egg]

Sure.

 

[krlabs]

Sure.

Litespeed's technical support team told us that this had nothing to do with the update OLS, namely the lsup script. We were advised to investigate the issue ourselves. We have also updated CyberPanel to the latest version, so it is possible that this could be the cause. So, we will analyze it.

 

[krlabs]

We were pointed to a similar situation in this forum thread: https://forum.openlitespeed.org/threads/certificate-issue-after-update-to-1-8-1.6037/
It's similar with 100% accuracy. The owner solved the problem the same way we did - by deleting folders and reissuing certificates. But I still think it's a little bit wrong that OLS can automatically overwrite the contents of existing valid certificates in the folder LetsEncrypt. Even though the ownership of these certificates has not been restricted. In my opinion, a separate file with a self-signed certificate should have been created. Then no questions would have arisen.