Unexpected replacement of Let’s Encrypt Certificates with self-signed Litespeed Certificates after upgrade

krlabs

krlabs

New Member
#1
#1
After upgrade OLS to 1.8 branch by lsup.sh, i unexpectedly saw, that my active and valid Lets Encrypt сertificate for domain mail.kr-labs.com.ua was changed with Litespeed self-signed cert.

The paths to VirtualHost and Listener SSL were saved, but for some reason the content of the LE certificate itself was replaced with a self-signed Litespeed certificate:

Code: 
/etc/letsencrypt/live/mail.kr-labs.com.ua/fullchain.pem
Bash: 
openssl s_client -connect mail.kr-labs.com.ua:995 -showcerts
CONNECTED(00000003)
depth=0 CN = kr-labs.com.ua, C = US, L = Virtual, O = LiteSpeedCommunity, OU = Testing, ST = NJ, emailAddress = mail@kr-labs.com.ua, name = openlitespeed, initials = CP, dnQualifier = openlitespeed
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = kr-labs.com.ua, C = US, L = Virtual, O = LiteSpeedCommunity, OU = Testing, ST = NJ, emailAddress = mail@kr-labs.com.ua, name = openlitespeed, initials = CP, dnQualifier = openlitespeed
verify return:1
---
Certificate chain
0 s:/CN=kr-labs.com.ua/C=US/L=Virtual/O=LiteSpeedCommunity/OU=Testing/ST=NJ/emailAddress=mail@kr-labs.com.ua/name=openlitespeed/initials=CP/dnQualifier=openlitespeed
   i:/CN=kr-labs.com.ua/C=US/L=Virtual/O=LiteSpeedCommunity/OU=Testing/ST=NJ/emailAddress=mail@kr-labs.com.ua/name=openlitespeed/initials=CP/dnQualifier=openlitespeed
When i review my actual cert with Certbot, he explain me this:

Code: 
sudo certbot certificates
Renewal configuration file /etc/letsencrypt/renewal/mail.kr-labs.com.ua.conf produced an unexpected error: fullchain does not match cert + chain for mail.kr-labs.com.ua!. Skipping.

I solved this problem by deleting all dirs with LE certificates and reissuing their with Certbot. But why does OLS interfere with the integrity of the LetsEncrypt files and change them? It could have created a separate file with a self-signed certificate.

Explain to me if I have missed any points.
 
Cold-Egg

Cold-Egg

Administrator
#2
#2
May I know if you use a valid cert on the listener or virtual host SSL level? OLS won't touch the certificate files, it seems the site is using OLS default self-signed certificate for some reason. I can't reproduce the issue locally. If you can, please submit the issue to support@litespeedtech.com with this forum post link appended for further checking.
 
krlabs

krlabs

New Member
#3
#3
Cold-Egg said:
May I know if you use a valid cert on the listener or virtual host SSL level? OLS won't touch the certificate files, it seems the site is using OLS default self-signed certificate for some reason. I can't reproduce the issue locally. If you can, please submit the issue to support@litespeedtech.com with this forum post link appended for further checking.
Click to expand...
The certificate was valid, until December 2024. It was used for the Virtual host mail.kr-labs.com.ua, but at the same time it was listed as the primary certificate for the SSL Listener. Both contained paths to a valid LetsEncrypt certificate /etc/letsencrypt/live/... They were not changed or modified in any way. Perhaps this happened because the certbot renew mechanism for automatically updating certificates was not enabled or correctly configured. But still, the OLS system was not allowed to overwrite the contents of the LE certificate.
 
You must log in or register to reply here.
Top