How to Install an ACME SSL Certificate on LiteSpeed Using acme.sh?
With a LiteSpeed server without SSL, your website will be identified as “Not Secure” by browsers, and visitors will leave. This is the process of creating, installing, and auto-renewing an ACME SSL Certificate on LiteSpeed (OpenLiteSpeed or LiteSpeed Enterprise) with acme.sh and EAB credentials. If you miss a step, the certificate won’t be created or renewed, and you won’t get any warning.
Prerequisites
There are 6 things you need to set up to run a single command. Skipping out on the issuance of one block certificate altogether.
- You have LiteSpeed Web Server installed (OpenLiteSpeed or LiteSpeed Enterprise)
- Web server access via root account or “sudo” shell access to the server.
- A DNS A/AAAA record that maps your domain to this server’s IP address.
- Internet access from outside your network to your ACME server URL: (e.g., https://acme.sectigo.com/v2/DV or https://acme.digicert.com/v2/acme)
- You can configure EAB credentials from your Certificate Authority: EAB_KID and EAB_HMAC_KEY.
- The HTTP listener is configured in LiteSpeed WebAdmin (Listeners → Default → Port 80, IP = ANY). The HTTP listener is set up in LiteSpeed WebAdmin (Listeners → Default → Port 80, IP = ANY).
Port 80 is the most frequently overlooked. Both Sectigo and DigiCert use HTTP-01 validation, but port 80 has to be open for this. If a firewall, cloud security group, etc., denies the certificate challenge, the challenge will not begin at all.
Setting up acme.sh Client on your LiteSpeed Server
Step 1: Install acme.sh
acme.sh is the open-source ACME client that handles certificate issuance, installation, and auto-renewal on your behalf.
Run this single command to install it:
curl https://get.acme.sh | sh
Then load the environment and confirm the install:
source ~/.bashrc
acme.sh –version
Note: If the install fails, confirm that curl and git are both present on the system. Re-run with –force if a partial install is blocking the retry.
acme.sh installs to ~/.acme.sh/ by default and registers a cron job automatically. That cron job is what runs renewal 30 days before expiry. Without it, your certificates expire silently.
Step 2: Register your ACME Account
Registration links your “acme.sh” client to your Certificate Authority using EAB credentials. Without registration, certificate issuance is rejected.
Run this command:
acme.sh --register-account \
--server SERVER \
--eab-kid EAB_KID \
--eab-hmac-key EAB_HMAC_KEY \
--accountemail [email protected]
Replace the placeholders:
- SERVER – The ACME server URL provided by your Certificate Authority.
- EAB_KID – The External Account Binding Key ID provided by your CA.
- EAB_HMAC_KEY – The EAB HMAC Key provided by your CA.
- [email protected] – Your email address for account registration and notifications.
Step 3: Issue the Certificate
Certificate issuance is the step that contacts your CA, completes the HTTP-01 domain validation challenge, and retrieves the signed certificate files.
Run this command:
acme.sh --issue \
-d yourdomain.com \
-w /path/to/webroot \
--server SERVER
Replace:
- yourdomain.com: your actual domain
- /path/to/Webroot: the document root LiteSpeed serves (e.g., /usr/local/lsws/Example/html)
- SERVER: your CA’s ACME URL (e.g., https://acme.sectigo.com/v2/DV or https://acme.digicert.com/v2/acme)
To cover the www subdomain in the same certificate, add -d www.yourdomain.com to the command.
If you see “unauthorised” or “not delegated”: The most common cause is using the wrong ACME server URL or mismatched EAB credentials. Confirm that both match the subscription tied to your domain at your CA.
Step 4: Verify the ACME Challenge Path Is Reachable
Before issuing, confirm the challenge directory is accessible over HTTP. This prevents validation failures mid-issuance.
cd /usr/local/lsws/Example/html
mkdir -p .well-known/acme-challenge
echo "test" > .well-known/acme-challenge/testfile
curl http://yourdomain.com/.well-known/acme-challenge/testfile
If curl returns the word “test”, the path is reachable, and validation will succeed.
If you have an HTTPS redirect in .htaccess, add an exception so ACME files stay on HTTP:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
This exception prevents Sectigo’s validation bot from being redirected to HTTPS before it can complete the HTTP-01 challenge.
Step 5: Install the SSL Certificate
After issuance, the certificate files live inside acme.sh’s working directory. You install them into LiteSpeed’s config path and tell acme.sh to reload LiteSpeed automatically after every renewal.
Create the certificate directory:
mkdir -p /usr/local/lsws/conf/cert/yourdomain.com
Install the certificate and set the reload command:
acme.sh --install-cert -d yourdomain.com \
--key-file /usr/local/lsws/conf/cert/yourdomain.com/yourdomain.com.key \
--fullchain-file /usr/local/lsws/conf/cert/yourdomain.com/yourdomain.com.crt \
--reloadcmd "/usr/local/lsws/bin/lswsctrl reload"
The –reloadcmd flag is critical. It tells acme.sh to reload LiteSpeed every time the certificate renews. Without it, LiteSpeed keeps serving the old certificate even after renewal, and your site shows an “expired” warning.
If LiteSpeed doesn’t reload after renewal: Verify the path /usr/local/lsws/bin/lswsctrl exists and is executable. Also, check file ownership. The certificate directory and files must be readable by the LiteSpeed process user.
Add the HTTPS Listener on Port 443:
With the certificate files in place, point LiteSpeed’s HTTPS listener at them through WebAdmin.
- Open LiteSpeed WebAdmin at https://<YOUR-SERVER-IP>:7080
- Go to Listeners → Add
- Set the parameters:
Name: HTTPS
IP Address: ANY
Port: 443
Secure: Yes - Under the SSL tab, set:
Private Key File: /usr/local/lsws/conf/cert/yourdomain.com/yourdomain.com.key
Certificate File: /usr/local/lsws/conf/cert/yourdomain.com/yourdomain.com.crt - Map your virtual host (e.g., Example) to domain *
- Save and Restart LiteSpeed
If WebAdmin rejects the HTTPS listener, the most common cause is a wrong file path in the SSL tab. Double-check that both paths match exactly what was created above. Review /usr/local/lsws/logs/error.log for the specific rejection reason.
Step 6: Verify Installation & Auto-Renewal
acme.sh will renew certificates 30 days before expiration. Make sure the configuration is correct now to avoid certification expiration issues.
Make sure that HTTPS is active:
- Access the site, https://yourdomain.com, in a browser.
- Check that the padlock shows, there is a valid certificate, and that the domain name is correct.
- To receive a comprehensive report, use SSL Labs’ SSL Test from Qualys to test for chain completeness, protocol support, and cypher strength.
Make sure that the cron job is listed:
crontab -l
A healthy acme.sh cron entry is:
24 13 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
This operates on a 24/7 basis, but acme.sh only attempts to renew the certificate 30 days before it expires. All the other runs are executed in a silent manner.
Test renewal manually/immediately:
acme.sh --renew -d yourdomain.com --force
If manual renewal is successful, then this means all pipeline issuance, file installation, and LiteSpeed reloading are successful!
Conclusion
With “acme.sh”, it is possible to achieve the same secure and trusted website with ACME SSL certificate installation on LiteSpeed, while also ensuring the automation of certificate issuance, deployment, and renewal.
For trusted Automated SSL certificates for your website, reach out to us today to obtain the SSL certificate that fits your needs and receive professional help installing and configuring your SSL certificate.