Letsencrypt w certbot , http not secured

Hello, community

I installed letsencrypt SSL certificate to my domain with certbot. I used this command :

certbot certonly --non-interactive --agree-tos -m MyEmail@gmail.com --webroot -w /usr/local/lsws/mydomainname.com/html/ -d mydomainname.com -d www.mydomainname.com

Now when I open my site with
https:// it says i have a SSL certificate from letsencrypt
but when i open just
http:// it says connection is unsecured, i.e i don't have a SSL certificate.

Please help me make it so that when someone opens http to get redirected to the secured version - httpS

Thank You!

My domain is:

I ran this command:
certbot certonly --non-interactive --agree-tos -m MyEmailHere@gmail.com --webroot -w /usr/local/lsws/MyDomainName.com/html/ -d MyDomainName -d MyDomainName.com

It produced this output:

My web server is (include version): LiteSpeed/1.7.19 Open (BUILD built: Mon Feb 5 23:11:12 UTC 2024)

The operating system my web server runs on is (include version): Ubuntu 22.04.3 LTS

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no i don't use control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

The redirect for HTTP is configured in LiteSpeed. It is not an issue with your Let's Encrypt cert. Your best source for advice is probably the LiteSpeed forum. Maybe even this thread there which google found Just search their forum if this thread does not help.

Either:

• you did a bad job of obfuscating that part
• you used an entry that is not a valid FQDN

That is expected.
You may need to read about the differences between HTTP and HTTPS [and how to properly secure a website].

In short: HTTP is insecure [and will always be insecure]
HTTPS is not a modification to HTTP.
HTTPS is a replacement to HTTP [and both services can, and usually do, exist within the same system].
As @MikeMcQ suggests, you simply need to redirect all HTTP requests to the new HTTPS service.

[Wow! That was "short"? - LOL]

All good, I got http to redirect to https .

Now that the certificate needs renewal every 3 months , I added this code to crontab, to auto check and renew the certificate every day at 1 AM :

0 1 * * * certbot renew --quiet --post-hook "systemctl restart lsws"

But it goes on to renew all my domains. How to make the command to renew only a specific domain name?

Also is it wrong that it restarts LSWS every time? Should I make it without restarting it? And how would that be?

Thanks!

It is supposed to renew only those within 30 days of expiration.

You normally want to add some randomness to the time, rather than placing it exactly on an hour. Running it twice a day, not just once, is standard.

Yes. You only need to restart after you obtain a new certificate. Use a --deploy-hook instead.

Thanks, linkp

So is this a good alternative :

0 */12 * * * certbot renew --quiet --deploy-hook

No, for a couple reasons. Please don't use '0' as the minute. See this Let's Encrypt FAQ Answer about this. And this Certbot cron recommendation (link here)

This is the other issue. The renew does renew all your domains and it is best to avoid any options on the renew command for this reason.

Instead, you should have re-issued the original command for this domain and added the --deploy-hook to that command. This would update your renewal conf profile for just this cert. The renew command uses those profile settings for each cert so the deploy-hook would run just when renewing that specific cert.

Your renewal conf files are in /etc/letsencrypt/renewal and are shown by

sudo certbot certificates

It is possible to renew a single domain and this is often helpful in testing with the --dry-run option. But, it is not the best practice for routine production renewal. To renew a single cert you use the --cert-name option. See the Certbot docs for details.

Thank you, MikeMcQ

What would be the correct command to add to crontab ?

Or better yet how do I tell if Certbot has automatic renewals preconfigured?
If it does, then I don't need to do the crontab edit.

That question was already answered:

How to be sure that the automatic certificates renewal process is correctly set?

certbot renew ---dry-run

This is the output of the dry run

Processing /etc/letsencrypt/renewal/mydomain.com.conf

Simulating renewal of an existing certificate for mydomain.com and www.mydomain.com

Is it set to auto renew now?

Do you have a cron job or systemd.timer cnfigured to run certbot renew twice a day?

This is what I have in crontab

0 1 * * * certbot renew --quiet --post-hook "systemctl restart lsws"

Are you going to apply the earlier suggestions about not using the top of the hour and switching the --post- hook to a --deploy-hook?

2 */12 * * * certbot renew --quiet --deploy-hook

like that?

The link about configuring cron suggested:

I would start with that and then add your flags afterward.

You don't want to remove the payload from your hook if you expect it to run the command when relevant.

I ran this command line

SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}'); echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Is it now configured to auto renew? I am a bit lost here

How can anyone answer that when you haven't shown us your actual cron job?

this is what i have in /etc/crontab

0 0,12 * * * root sleep 2466 && certbot renew -q