Unable to get SSL Listener connected

#1
Hi all, I've been struggling with this for a couple days now and I thought someone here might be able to point me in the right direction.

I installed OLS on a Linode, and set up a VHost template, with a single member virtual host (chronicdigital.com) to test it out. Everything is working as expected for port 80, but I can't get the SSL Listener operational.

Certbot was able to generate a certificate and private key successfully. I have an SSL Listener set up, and in the VHost Template, the SSL key and certificate settings are pointed to the correct files: /etc/letsencrypt/live/$VH_NAME/privkey.pem and /etc/letsencrypt/live/$VH_NAME/fullchain.pem

On the dashboard, my SSL listener shows a broken link icon. Qualys ssl labs test says it can't reach the server, but it does display the IP address when I test the domain name:
https://www.ssllabs.com/ssltest/analyze.html?d=chronicdigital.com

Any pointers would be greatly appreciated. The SSL Listener has these settings:
Screen Shot 2020-12-27 at 2.19.34 PM.png
 

Cold-Egg

Administrator
#2
What about if you try to set the key and cert with the full path without any variable. Also, make sure you have the Chained Certificate set to Yes.
 
#3
What about if you try to set the key and cert with the full path without any variable. Also, make sure you have the Chained Certificate set to Yes.
Thanks for the ideas - I have the Chained Certificiate set to Yes. I just tried using the full path to test this out, but it didn't work. However - I'm setting this up using a VHost Template, so ultimately, it will need to be a variable.

Are there particular permissions or owners that need to be set for the private key file and certificate file directory?
 
#5
@petethompson, have you setup the certificates at the listener level?
VHost Template level is not enough.
hi @gilles Thanks for chiming in. I tried setting the certificate and private key at the Listener level too, but it didn't have any effect. but I was under the impression from the documentation that SSL settings on the VHost Template or Virtual Host level override anything you put in the Listener anyway. With that being the case, do you still have to set it in the Listener?
 
#7
I see. Thanks.

There's a letsencrypt certificate for the domain and an openssl certificate that I generated when I initially set up OLS. I tried pointing it to the domain's certificate as a test, but that did nothing. Unfortunately I don't know the path for the openssl certificate. If I can find it, I'll try to point the listener to that location and see if that works.
 
#8
Thanks @gilles and @Cold-Egg - I got this working ultimately by setting the Listener's SSL certificate and private key to be the absolute path to the chronicdigital.com cert, while changing the SSL settings in the vhost template to use the vhost variable. I'm going to add another virtual host using the same vhost template today; it should work the same way, in theory.
 
#9
A related issue arose while I was adding domains to this server --

In the VHost Template, I have the certificate files pointing to this directory: /etc/letsencrypt/live/$VH_NAME/
At the listener level, I have the absolute path for the certificate of the first domain I added to the server: /etc/letsencrypt/live/chronicdigital.com/

I successfully added two domains using the VHost Template, and their certbot certificates work as expected:
alandorsey.com
aliceharrisbooks.com

I've migrated a couple other domains to that sever now, applied certbot certificates to them. But - the browser shows an SSL warning. The certificate at the Listener level is being used for any new domains I try to add. Example: nwleaf.com (screenshot below)

Screen Shot 2020-12-30 at 7.33.57 PM.png
 

Cold-Egg

Administrator
#11
Have you reloaded the OpenLiteSpeed Web Server?

Just a suggestion, please consider using LSCache Plugin to speed up all your sites on this server.
 
#12
@Cold-Egg I did a graceful restart, and also rebooted the server, but the certificate issue persists...

I'll definitely be using the LSCache plugin! I have OLS set up on another server with one site, and the LSCache plugin makes things astonishingly fast. I'm getting TTFB and load times comparable to a site I built on Gridsome.
 
#14
It seems like waiting overnight fixed the issue. It's no longer showing the wrong certificate.

There's a separate sort-of issue I discovered with Permalinks - When I migrate sites to this server the permalinks won't work unless I perform a graceful restart. I'm not sure if that's the expected behavior but it took me a while of trial-and-error to figure it out. Is this something I should log a ticket about?

Thanks!
 
Top