No, the automation should have taken care of this...
We must have missed something.
This does seem to be the problem now:
That is the way it should be done.
Crontab generically triggers certbot to renew, then certbot renews each cert individually paying close attention to their specific requirements during each renewal process (&pre &post).
We need to test/fix the script "/usr/local/lsws/bin/lswsctrl reload" or find a better one.
Is it possible that it has something to do with the user and permissions? I tried running just that line /usr/local/lsws/bin/lswsctrl reload and it gave me the following output:
/usr/local/lsws/bin/lswsctrl: 257: /usr/local/lsws/bin/lswsctrl: cannot create /usr/local/lsws/bin/../logs/lsrestar
t.log: Permission denied
/usr/local/lsws/bin/lswsctrl: 258: /usr/local/lsws/bin/lswsctrl: cannot create /usr/local/lsws/bin/../logs/lsrestar
t.log: Permission denied
[ERROR] litespeed is not running.
When I run the same line as root user, sudo /usr/local/lsws/bin/lswsctrl reload, it appears to work just fine. Output is:
[OK] Send SIGUSR1 to 24399
and checking the log in /usr/local/lsws/logs/lsrestart.log it shows that it worked.
Yes that does seem to be a permissions thing.
Just to document my attempts at fixing this, I just ran the following command to change the deploy-hook.
sudo certbot certonly --webroot -w /var/www/html -d "vestasit.com,www.vestasit
.com" --deploy-hook "service lsws restart"
This updated my certificates and /etc/letsencrypt/renewal/vestasit.com.conf but once again I have no values under the webroot_map.
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/vestasit.com
cert = /etc/letsencrypt/live/vestasit.com/cert.pem
privkey = /etc/letsencrypt/live/vestasit.com/privkey.pem
chain = /etc/letsencrypt/live/vestasit.com/chain.pem
fullchain = /etc/letsencrypt/live/vestasit.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 1812750b834e59f2737f09ac1728fe0d
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /var/www/html,
renew_hook = service lsws restart
[[webroot_map]]
Following this, sudo certbot renew --dry-run was successful. I'm going to modify the config file to reduce the amount of time before the certificates renew to see if this will run on its own. I have little hope seeing as the webroot_map is empty and I don't know how to fix that. But I will try to keep this updated in case anyone else is having similar issues.
webroot_path and webroot_map are alternatives where webroot_map allows you to specify a different path for different domain names that are covered within the same certificate. However, webroot_path is fine when all of them are found at the same location, which is probably true for your single site.
OH MY, it seems to have worked! My certificate renewed AND the server restarted and the new cert was picked up by browsers! This is the first time in over a year that it has all worked!
Thank you to all who helped me!
I'm going to switch the config file back to renewing within 30 days of expiration and hopefully it will work again in another 60 days.