How to fix letencrypt's "domain.com inaccessible, please verify" issue?

[techaddict]

I have pointed the domain to digital ocean wp openlitespeed droplet but I get this error when I try to install letsencrypt

"Do you wish to issue a Let's encrypt certificate for this domain? [y/N]y
domain.com inaccessible, please verify." (domain = my domain changed it here)

I even bypassed cloudflare's privacy. My server IP is visible via DNS everywhere. I have set IP via A records.

Can one say how to fix this issue?

 

[Unique_Eric]

Hi @techaddict ,

If you visit IP directly on browser, can you see anything?

Best

 

[Unique_Eric]

LiteSpeed's Images have all been updated and published on DigitalOcean's Marketplace.
The updates include the latest version and a patch for the Intel CPU MDS vulnerability issue.
If you previously encountered a WordPress 404 issue, please launch and try again. Thank you.

 

[Shuii]

Hello,
I am having the same issue. I can actually access the site by both IP and domain name, but the prompt to set domain pops up every time I ssh in to a new session. It fails identically to OP, however. I just created the droplet yesterday, so I believe I am using the most recent version. Any advice @Unique_Eric ?

 

[Shuii]

Ah, I have just figured out my error. I was typing 'www.mydomain.com', but it worked as soon as I tried just 'mydomain.com'
cheers!

 

[Unique_Eric]

No problem, if your domain not support www, then you should just use mydomain.com only.
Feel free to open new post with new issues.

 

[Shigaev]

Same problem. I try to enter my site using any syntax (http, https, www, without www ...), but I always get an error:

"Connection is not secure
Attackers may try to steal your data from shigaev.com (for example, passwords, messages or bank card numbers).
NET :: ERR_CERT_AUTHORITY_INVALID "

However, I can log in using IP. In this case, everything works.

Could you help me in solving this problem?

P.S. hmmm... A little later I tried to refuse SSL during installation. But the problem has remained the same.

 

[Unique_Eric]

Hi @Shigaev ,

Please clarify if you have
1. Pointing your domain to the server?
2. Using the auto setup script to add the domain?
3. Did you apply for the Let's encrypt during the script?

By default image will auto add the server IP to the listener only, that's why you can access with IP.

Best

 

[Shigaev]

1. I entered my domain name with "www".
2. To add a domain, I used a DigitalOcean droplet "OpenLiteSpeed WordPress" and its script proposed to me in SSH.
3. I agreed with the proposal to enable Let's Encrypt while the script is running. But was refused.

A few minutes ago I checked the site’s work from a mobile phone - the site was available. As expected - without a secure protocol.

Can you help me by suggesting what I should do to activate Let's Encrypt and get rid of the "NET :: ERR_CERT_AUTHORITY_INVALID" problem in my browsers on my home computer?

 

[Unique_Eric]

Will DM you

 

[artick95]

Ah, I have just figured out my error. I was typing 'www.mydomain.com', but it worked as soon as I tried just 'mydomain.com'
cheers!

Just solved the problem with this tip.
But now I get a warning when I visit the site saying that the name of the website and the certificate name's does not correspond.
What can I do?

 

[artick95]

I solved by following the documentation on the ssl manually rechanging

 

[strunk]

Litespeed sounds like an oxymoron since I cannot get past the Let's Encrypt error

"Do you wish to issue a Let's encrypt certificate for this domain? [y/N]y
domain.com inaccessible, please verify." (domain = my domain changed it here)

 

[Unique_Eric]

It maybe take a while to update the DNS after pointing the domain to the new server/IP.
@strunk let us know if you need any help to verify why domain failed to access.

 

[FDisk]

Do you wish to issue a Let's encrypt certificate for this domain? [y/N] y
[OK] ekapines.lt is accessible.
[OK] www.ekapines.lt is accessible.
Please enter your E-mail: ***@gmail.com
The E-mail you entered is: ***@gmail.com
Please verify it is correct: [y/N] y
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ekapines.lt
http-01 challenge for www.ekapines.lt
Using the webroot path /usr/local/lsws/Example/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ekapines.lt (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge "****" != "Hello World! From OpenLiteSpeed NodeJS", www.ekapines.lt (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge "****" != "Hello World! From OpenLiteSpeed NodeJS"

IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: ekapines.lt
   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   "****"
   != "Hello World! From OpenLiteSpeed NodeJS"

   Domain: www.ekapines.lt
   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   "***"
   != "Hello World! From OpenLiteSpeed NodeJS"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
Oops, something went wrong...

and if i check lestencrypt logs i see the same

2020-02-16 19:58:00,884:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/*** HTTP/1.1" 200 1053
2020-02-16 19:58:00,885:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 16 Feb 2020 19:58:00 GMT
Content-Type: application/json
Content-Length: 1053
Connection: keep-alive
Boulder-Requester: 78326959
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: ***
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.ekapines.lt"
  },
  "status": "invalid",
  "expires": "2020-02-23T19:57:56Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "The key authorization file from the server did not match this challenge \"***\" != \"Hello World! From OpenLiteSpeed NodeJS\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/***/***",
      "token": "***",
      "validationRecord": [
        {
          "url": "http://www.ekapines.lt/.well-known/acme-challenge/***",
          "hostname": "www.ekapines.lt",
          "port": "80",
          "addressesResolved": [
            "35.207.71.7"
          ],
          "addressUsed": "35.207.71.7"
        }
      ]
    }
  ]
}
2020-02-16 19:58:00,885:DEBUG:acme.client:Storing nonce: ***
2020-02-16 19:58:00,886:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: ekapines.lt
Type:   unauthorized
Detail: The key authorization file from the server did not match this challenge "***" != "Hello World! From OpenLiteSpeed NodeJS"

Im using google cloud platform and installed using template. As i understand all links are pointing to the same Hello World message and letsencrypt cant verify owner of request

 

[Unique_Eric]

Hi @FDisk ,

Thanks for the bug report, I will look into this.

 

[Unique_Eric]

Hi @FDisk ,

Can you try to update the /.well-known/ context's Location from /usr/local/lsws/Example/html/ to /usr/local/lsws/Example/html/.well-known/
See if it helps? You can update it either via web admin or console to /usr/local/lsws/conf/vhosts/Example/vhconf.conf

And make sure you have a `/.well-known/` folder under the /usr/local/lsws/Example/html/

You can also launch it again from marketplace and it should works.

Best

 

[Joe_frooney]

Working with a droplet on Digital Ocean and failing out. The site is accessible by IP, but get a privacy error from the actual domain name. The A records are all updated and verified.

Domain has been added into OpenLiteSpeed listener.

Do you wish to issue a Let's encrypt certificate for this domain? [y/N] y

****.com is inaccessible, please verify!

 

[Unique_Eric]

Hi @Joe_frooney ,

This function https://github.com/litespeedtech/ls-cloud-image/blob/master/Setup/domainsetup.sh#L152-L167 will check if domain accessible first, then do the Let's encrypt apply to avoid you hitting the Let's encrypt limit.
Could you share me the domain that you want to apply so I can see if there's anything special on it.

Best,
Eric

 

[benjaminglatzeder]

I also repeatedly ran into this issue. I made sure that the firewall on Ubuntu 18.04 is stopped

sudo ufw disable
# installed all necessary packages for certbot to run
sudo certbot certonly --webroot
# entered domain lister.lister-studios.com
# entered path /usr/local/lsws/lister/html/

Attached is the debug log from letsencrypt. Any pointers are greatly appreciated!