Install and automate SSL certificates on LiteSpeed using SeFlowSSL CaaS (Sectigo ACME)

Install and automate SSL certificates on LiteSpeed using SeFlowSSL CaaS (Sectigo ACME)

This guide explains how to install and automate SSL/TLS certificates on LiteSpeed, OpenLiteSpeed, or LiteSpeed Enterprise using acme.sh and SeFlowSSL CaaS (Sectigo ACME).

The procedure covers ACME registration, certificate issuance, LiteSpeed installation, HTTPS configuration, and automatic renewal verification.

Prerequisites

• LiteSpeed Web Server installed.
• Shell access with sudo or root privileges.
• DNS A or AAAA record pointing to this server.
• Outbound internet access to your ACME server URL.
• SeFlowSSL CaaS subscription with EAB credentials.
• HTTP listener on port 80 for ACME validation.
• LiteSpeed WebAdmin listener on port 80 set to ANY.

Step 1. Install acme.sh

Install acme.sh, the client that will handle SSL certificate issuance, installation, and renewal.

curl https://get.acme.sh | sh

Load the environment and verify the installation:

source ~/.bashrc
acme.sh --version

Step 2. Register your ACME account

Register the ACME client using the EAB credentials provided by SeFlowSSL CaaS.

acme.sh --register-account \
--server SERVER \
--eab-kid EAB_KID \
--eab-hmac-key EAB_HMAC_KEY \
--accountemail you@example.com

Replace these placeholders with your own values:

• SERVER: ACME server URL provided by SeFlowSSL CaaS.
• EAB_KID: External Account Binding Key ID.
• EAB_HMAC_KEY: EAB HMAC key.
• you@example.com: email address used for registration and notifications.

If the account is already registered for the same EAB credentials, acme.sh will reuse it.

Step 3. Issue the certificate in Webroot mode

Run the following command to issue the certificate using the webroot method.

acme.sh --issue \
-d yourdomain.com \
-w /path/to/webroot \
--server SERVER

To include the www hostname, add a second -d parameter.

acme.sh --issue \
-d yourdomain.com \
-d www.yourdomain.com \
-w /path/to/webroot \
--server SERVER

Replace these placeholders:

• yourdomain.com: your real domain name.
• /path/to/webroot: document root path of your website.
• SERVER: SeFlowSSL CaaS ACME server URL.

Step 4. Install the SSL certificate in LiteSpeed

Create a dedicated directory for the certificate and private key.

mkdir -p /usr/local/lsws/conf/cert/yourdomain.com

Install the certificate and configure LiteSpeed to reload automatically after each renewal.

acme.sh --install-cert -d yourdomain.com \
--key-file /usr/local/lsws/conf/cert/yourdomain.com/yourdomain.com.key \
--fullchain-file /usr/local/lsws/conf/cert/yourdomain.com/yourdomain.com.crt \
--reloadcmd "/usr/local/lsws/bin/lswsctrl reload"

Replace yourdomain.com with the domain used for the SSL certificate.

Step 5. Add the HTTPS listener on port 443

Access LiteSpeed WebAdmin and create an HTTPS listener.

1. Go to WebAdmin.
2. Open Listeners.
3. Select Add.
4. Set Listener Name to HTTPS.
5. Set IP Address to ANY.
6. Set Port to 443.
7. Set Secure to Yes.

Step 6. Configure the SSL tab

In the SSL tab of the HTTPS listener, set:

• Private Key File: /usr/local/lsws/conf/cert/yourdomain.com/yourdomain.com.key
• Certificate File: /usr/local/lsws/conf/cert/yourdomain.com/yourdomain.com.crt

Step 7. Map the virtual host to the domain

In the HTTPS listener, map the virtual host to the configured domain.

1. Open the HTTPS listener.
2. Configure the virtual host mapping.
3. Set the domain name or use * if required by your configuration.
4. Save the changes.
5. Restart LiteSpeed.

Step 8. Verify installation and automatic renewal

Visit the website over HTTPS and confirm:

• The site loads over HTTPS.
• The certificate is valid.
• The certificate matches the domain.

Check the cron setup:

crontab -l

A typical entry looks like:

24 13 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Test renewal manually:

acme.sh --renew -d yourdomain.com --force

Appendix. Verify HTTP listener and ACME path

For HTTP-01 validation, LiteSpeed must answer on port 80.

1. Log in to LiteSpeed WebAdmin.
2. Open Listeners.
3. Open the Default listener.
4. Confirm that the port is 80.
5. Confirm that IP is set to ANY.
6. Save and restart LiteSpeed.

Verify the ACME path by creating a test file:

cat /etc/lsb-release

cd /usr/local/lsws/Example/html
mkdir -p /usr/local/lsws/Example/html/.well-known/acme-challenge
echo "Welcome test" > /usr/local/lsws/Example/html/.well-known/acme-challenge/testfile

Verify with curl:

curl http://yourdomain.com/.well-known/acme-challenge/testfile

If you force HTTP to HTTPS redirects, add an exception so ACME files remain accessible over HTTP.

RewriteEngine On
# If HTTPS is not already on, redirect to HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Quick fixes

• 404 on challenge file: recheck webroot path, permissions, .htaccess exception, and port 80 access.
• Unauthorized / Not Delegated: verify the Sectigo ACME URL and the correct EAB credentials.
• Webroot does not contain DNS: informational acme.sh message when using webroot, safe to ignore.
• Port 80 blocked: verify with sudo lsof -i :80 and free the port.
• Standalone mode conflicts: avoid --standalone while LiteSpeed is running, use --webroot instead.

Summary

The setup is complete.

• ACME account registered with EAB credentials.
• SSL certificate issued and installed.
• LiteSpeed configured to reload after renewal.
• Automatic renewal verified.

Your SSL certificates will now renew automatically with no manual intervention.