Cert renew success but connection refused in openlitespeed + GCE

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ootede.com

I ran this command:
service lsws stop
certbot certonly
1

ootede.com

service lsws start

It produced this output: renew success

My web server is (include version): OpenLiteSpeed 1.7.16

The operating system my web server runs on is (include version): Ubuntu 20.04.5 LTS

My hosting provider, if applicable, is: Google Compute Engine

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): OpenLiteSpeed Admin Panel 1.7.16

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

after renew certificate suddenly port 80 & 443 are refused. I was checking ufw status and it seems firewall config settings is fine.

 Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere                  
80                         ALLOW IN    Anywhere                  
443                        ALLOW IN    Anywhere                  
80,443,7080,8088/tcp       ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
22 (v6)                    ALLOW IN    Anywhere (v6)             
80 (v6)                    ALLOW IN    Anywhere (v6)             
443 (v6)                   ALLOW IN    Anywhere (v6)             
80,443,7080,8088/tcp (v6)  ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)             

root@openlitespeed-awawtede-vm:/usr/local/lsws/conf# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere                  
80                         ALLOW IN    Anywhere                  
443                        ALLOW IN    Anywhere                  
80,443,7080,8088/tcp       ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
22 (v6)                    ALLOW IN    Anywhere (v6)             
80 (v6)                    ALLOW IN    Anywhere (v6)             
443 (v6)                   ALLOW IN    Anywhere (v6)             
80,443,7080,8088/tcp (v6)  ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)      

i check my ip address and name server on ootede.com - Make your website better - DNS, redirects, mixed content, certificates also look fine.

when i run ssl checker [spoiler]SSL Checker it seems only my old certificate is working.

additional information is: i was delete several previous renewal certificate (following lot of tutorial) and yet my connection to ootede.com still refused since 1st renewal.

here my current renewal certificates: certbot certificates

Found the following certs:
  Certificate Name: ootede.com
    Domains: ootede.com *.ootede.com
    Expiry Date: 2023-02-22 10:13:17+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/ootede.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ootede.com/privkey.pem

it is my 2nd days exploring possible solution and i am stuck for this issue, please enlighten me how to fix this as this things really frustating me.

Welcome to the community @kemala

Your ports 80 and 443 are not open. It is possible there is a network config issue but more often is that your web server is not running properly.

The only reason your SSL Checker works is because it is showing you cached info. Look for this on that page

These results were cached from November 22, 2022, 12:30 am PST to conserve server resources.

If you try Let's Debug or SSL Labs server test you will see connection to your site is not working.

Please show result of this command

ss -pant | grep -E ':80|:443' | grep -i listen
3 Likes

As @MikeMcQ has stated your ports 80 and 443 are not open. Supporting supplemental information:

$ nmap ootede.com
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-25 17:40 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.18 seconds
bam@dc3217iye:~$ nmap -Pn ootede.com
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-25 17:41 UTC
Nmap scan report for ootede.com (34.143.213.214)
Host is up (0.0077s latency).
rDNS record for 34.143.213.214: 214.213.143.34.bc.googleusercontent.com
All 1000 scanned ports on ootede.com (34.143.213.214) are filtered

Nmap done: 1 IP address (1 host up) scanned in 22.19 seconds

Also using https://crt.sh/ here is a list of issued certificates crt.sh | ootede.com, the latest being 2022-11-24.

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

1 Like

Did it start?

2 Likes

Nope, not after having it not use cached information.

1 Like

Please run from the command line and share the output of
curl ifconfig.co
or/and
curl ifconfig.io

2 Likes

thank you for your reply

  1. I run
    ss -pant | grep -E ':80|:443' | grep -i listen

and it displays empty. is there any additional info you need to analyze this issue?

  1. i am curious, is it possible if cert renewal able to disrupt the network config? i keep reading forum threads on both openlitespeed and letsencrypt but i found no similar issue
1 Like

thank you for supplementary information.

in general, is certbot delete and/or certbot delete --cert-name example.com able to prevent caching after deletion or just pure delete/detach the cert from these specific domain?

2 Likes

yes it starts but still connection refused from browser/curl and if i ping the domain it works.

i am working to reset/tweak ufw tables but no chance

it is 34.143.213.214

1 Like

We should have a lok at this file:
/usr/local/lsws/conf/httpd_config.xml

2 Likes

That confirms litespeed is not running properly. We should see it listening on those ports but did not. Please show the file requested by rg305

Also, what does this show?

service lsws status

No, certbot certonly only gets a cert and does not modify anything. The exception is if you use a pre or post hook to make modifications. But, then those are setup by you, not certbot.

3 Likes
#
# PLAIN TEXT CONFIGURATION FILE
#
# If not set, will use host name as serverName
serverName                
user                      www-data
group                     www-data
priority                  0
inMemBufSize              60M
swappingDir               /tmp/lshttpd/swap
autoFix503                1
gracefulRestartTimeout    300
mime                      conf/mime.properties
showVersionNumber         0
adminEmails               root@localhost

errorlog logs/error.log {
  logLevel                DEBUG
  debugLevel              0
  rollingSize             10M
  keepDays                1
  enableStderrLog         1
}

accesslog logs/access.log {
  rollingSize             10M
  keepDays                30
  compressArchive         0
}
#adminEmails                      root@localhost
indexFiles                index.html, index.php

expires  {
  enableExpires           1
  expiresByType           image/*=A2592000, text/css=A31536000, application/x-javascript=A31536000, application/javascript=A31536000, font/*=A31536000, application/x-font-ttf=A31536000
}

tuning  {
  maxConnections          10000
  maxSSLConnections       10000
  connTimeout             300
  maxKeepAliveReq         10000
  keepAliveTimeout        5
  sndBufSize              0
  rcvBufSize              0
  maxReqURLLen            32768
  maxReqHeaderSize        65536
  maxReqBodySize          2047M
  maxDynRespHeaderSize    32768
  maxDynRespSize          2047M
  maxCachedFileSize       4096
  totalInMemCacheSize     20M
  maxMMapFileSize         256K
  totalMMapCacheSize      40M
  useSendfile             1
  fileETag                28
  enableGzipCompress      1
  compressibleTypes       default
  enableDynGzipCompress   1
  gzipCompressLevel       6
  gzipAutoUpdateStatic    1
  gzipStaticCompressLevel 6
  brStaticCompressLevel   6
  gzipMaxFileSize         10M
  gzipMinFileSize         300

  quicEnable              1
  quicShmDir              /dev/shm
}

fileAccessControl  {
  followSymbolLink        1
  checkSymbolLink         0
  requiredPermissionMask  000
  restrictedPermissionMask 000
}

perClientConnLimit  {
  staticReqPerSec         0
  dynReqPerSec            0
  outBandwidth            0
  inBandwidth             0
  softLimit               10000
  hardLimit               10000
  gracePeriod             15
  banPeriod               300
}

CGIRLimit  {
  maxCGIInstances         20
  minUID                  11
  minGID                  10
  priority                0
  CPUSoftLimit            10
  CPUHardLimit            50
  memSoftLimit            1460M
  memHardLimit            1470M
  procSoftLimit           400
  procHardLimit           450
}

accessDenyDir  {
  dir                     /
  dir                     /etc/*
  dir                     /dev/*
  dir                     conf/*
  dir                     admin/conf/*
}

accessControl  {
  allow                   ALL, 54.252.210.186T, 35.178.212.86T, 13.233.85.71T, 37.120.131.40T, 5.134.119.194T
}

extprocessor lsphp {
  type                    lsapi
  address                 uds://tmp/lshttpd/lsphp.sock
  maxConns                10
  env                     PHP_LSAPI_CHILDREN=10
  env                     LSAPI_AVOID_FORK=200M
  initTimeout             60
  retryTimeout            0
  persistConn             1
  respBuffer              0
  autoStart               1
  path                    lsphp81/bin/lsphp
  backlog                 100
  instances               1
  priority                0
  memSoftLimit            2047M
  memHardLimit            2047M
  procSoftLimit           1400
  procHardLimit           1500
}

scripthandler  {
  add                     lsapi:lsphp php
}

railsDefaults  {
  maxConns                1
  env                     LSAPI_MAX_IDLE=60
  initTimeout             60
  retryTimeout            0
  pcKeepAliveTimeout      60
  respBuffer              0
  backlog                 50
  runOnStartUp            3
  extMaxIdleTime          300
  priority                3
  memSoftLimit            2047M
  memHardLimit            2047M
  procSoftLimit           500
  procHardLimit           600
}

wsgiDefaults  {
  maxConns                5
  env                     LSAPI_MAX_IDLE=60
  initTimeout             60
  retryTimeout            0
  pcKeepAliveTimeout      60
  respBuffer              0
  backlog                 50
  runOnStartUp            3
  extMaxIdleTime          300
  priority                3
  memSoftLimit            2047M
  memHardLimit            2047M
  procSoftLimit           500
  procHardLimit           600
}

nodeDefaults  {
  maxConns                5
  env                     LSAPI_MAX_IDLE=60
  initTimeout             60
  retryTimeout            0
  pcKeepAliveTimeout      60
  respBuffer              0
  backlog                 50
  runOnStartUp            3
  extMaxIdleTime          300
  priority                3
  memSoftLimit            2047M
  memHardLimit            2047M
  procSoftLimit           500
  procHardLimit           600
}

module cache {
  internal                1
module cache {

storagePath $VH_ROOT/lscache
checkPrivateCache   1
checkPublicCache    1
maxCacheObjSize     10000000
maxStaleAge         200
qsCache             1
reqCookieCache      1
respCookieCache     1
ignoreReqCacheCtrl  1
ignoreRespCacheCtrl 0

enableCache         0
expireInSeconds     3600
enablePrivateCache  0
privateExpireInSeconds 3600
  ls_enabled              1
}

virtualhost Example {
  vhRoot                  Example/
  configFile              conf/vhosts/Example/vhconf.conf
  allowSymbolLink         1
  enableScript            1
  restrained              1
  setUIDMode              0
}

virtualhost wordpress {
  vhRoot                  /var/www/html
  configFile              /usr/local/lsws/conf/vhosts/wordpress/vhconf.conf
  allowSymbolLink         1
  enableScript            1
  restrained              0
  setUIDMode              2
}

listener Default {
  address                 *:8088
  secure                  0
  map                     Example *
}

listener wordpress {
  address                 *:80
  secure                  0
  map                     wordpress *, ootede.com, www.ootede.com
}

listener wordpressssl {
  address                 *:443
  secure                  1
  keyFile                 /etc/letsencrypt/live/ootede.com/privkey.pem
  certFile                /etc/letsencrypt/live/ootede.com/fullchain.pem
  certChain               1
  sslProtocol             28
  map                     wordpress *, ootede.com, www.ootede.com
}

vhTemplate centralConfigLog {
  templateFile            conf/templates/ccl.conf
  listeners               Default
}

vhTemplate EasyRailsWithSuEXEC {
  templateFile            conf/templates/rails.conf
  listeners               Default
}
service lsws status

lshttpd.service - OpenLiteSpeed HTTP Server
     Loaded: loaded (/etc/systemd/system/lshttpd.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2022-11-26 05:56:37 UTC; 9h ago
    Process: 5060 ExecStart=/usr/local/lsws/bin/lswsctrl start (code=exited, status=0/SUCCESS)
   Main PID: 5580 (litespeed)
     CGroup: /system.slice/lshttpd.service
             ├─5580 openlitespeed (lshttpd - main)
             ├─5581 openlitespeed (lscgid)
             └─5582 openlitespeed (lshttpd - #01)

Nov 26 05:56:34 openlitespeed-awawtede-vm systemd[1]: Starting OpenLiteSpeed HTTP Server...
Nov 26 05:56:34 openlitespeed-awawtede-vm lswsctrl[5060]: [OK] Send SIGUSR1 to 4874
Nov 26 05:56:37 openlitespeed-awawtede-vm systemd[1]: Started OpenLiteSpeed HTTP Server.
1 Like

Can you show this? Would like to see what, if anything, is listening (not just 80,443).

ss -pant | grep -i listen
3 Likes

it shows:

LISTEN     0       80                127.0.0.1:3306               0.0.0.0:*      users:(("mariadbd",pid=1580,fd=25))                                            
LISTEN     0       128                 0.0.0.0:20202              0.0.0.0:*      users:(("fluent-bit",pid=1231,fd=205))                                         
LISTEN     0       100               127.0.0.1:11211              0.0.0.0:*      users:(("lsmcd",pid=1591,fd=22),("lsmcd",pid=1590,fd=22),("lsmcd",pid=1589,fd=22),("lsmcd",pid=1588,fd=22),("lsmcd",pid=1587,fd=22),("lsmcd",pid=653,fd=22))
LISTEN     0       511               127.0.0.1:6379               0.0.0.0:*      users:(("redis-server",pid=748,fd=6))                                          
LISTEN     0       4096          127.0.0.53%lo:53                 0.0.0.0:*      users:(("systemd-resolve",pid=529,fd=13))                                      
LISTEN     0       128                 0.0.0.0:22                 0.0.0.0:*      users:(("sshd",pid=1564,fd=3))                                                 
LISTEN     0       100                 0.0.0.0:25                 0.0.0.0:*      users:(("master",pid=1515,fd=13))                                              
LISTEN     0       4096                0.0.0.0:7080               0.0.0.0:*      users:(("litespeed",pid=5582,fd=8),("litespeed",pid=5580,fd=8))                
LISTEN     0       4096                      *:20201                    *:*      users:(("otelopscol",pid=1253,fd=7))                                           
LISTEN     0       128                    [::]:22                    [::]:*      users:(("sshd",pid=1564,fd=4))                                                 
LISTEN     0       100                    [::]:25                    [::]:*      users:(("master",pid=1515,fd=14))

Thanks. Do you know why litespeed is listening on port 7080?

Notice the main pid from the earlier status display was 5580 and it is only listening on 7080

The lsws config file you showed doesn't mention that port.

3 Likes
Thanks. Do you know why litespeed is listening on port 7080?

port is a default to access OLS admin panel

Notice the main pid from the earlier status display was 5580 and it is only listening on 7080

The lsws config file you showed doesn't mention that port.

can I send you a private message for a private question?

Yes, sure.

3 Likes

Just noting problem not resolved privately. Still looking for help to sort this out. I am out of ideas for now.

3 Likes