The Certificate Authority failed to download the temporary challenge files created by Certbot

I'm trying to run my Next Js app on my Hostinger VPS with OpenLiteSpeed with Node.js package installed. This morning i changed the DNS record A of my domain to my IPv4 Address of the VPS. I also changed the domain of the machine inside Hostinger.
I have two different webhost on this machine one on port 80 and 443 and one on port 4000 i want to be able to access both of the with https. Here is the info about my issue.
My domain is: api.woocrypt.com

I ran this command: certbot certonly

It produced this output: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: api.woocrypt.com
Type: unauthorized
Detail: 153.92.223.210: Invalid response from http://api.woocrypt.com/.well-known/acme-challenge/voJ-_od6vtK1TZfBVB9oQGeO9BetWKtgqW4SlmVkHxQ: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version): OpenLiteSpeed

The operating system my web server runs on is (include version): Ubuntu with node.js

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Let's Debug result: Let's Debug

Hi @T-m-A-r-K-y, and welcome to the LE community forum :slight_smile:

Do you use/need port 80 for?:

x-powered-by: Next.js
server: LiteSpeed

If not, you could use that port solely for ACME challenge requests.
If you do, then you will have to validate the webroot used:

2 Likes

It's not necessary but i would like to use both 80 and 443 for the next app.
Anyway can you explain how could i do that?

Do which?

If you mean use port 80 solely for ACME challenges:

  • don't use HTTP in LiteSpeed/Next.js
  • then use: certbot certonly --standalone
    and for renewals: certbot renew

If you mean: How can you validate the webroot used?:

  • place a test text file in the expected challenge location
  • check if it can be directly accessed from the Internet
    http://api.woocrypt.com/.well-known/acme-challenge/TestFile
2 Likes

As an alternate option [which I would not recommend]:

  • shutdown the HTTP web server
  • run: certrbot certonly --standalone
  • restart the HTTP web server

The good news for this method is that all three steps can be automated by certbot while using hooks.
So that certbot renew will take the steps to stop/start the web server for you.

2 Likes

Placed the text file and i can access it

image

OMG, it took 18 seconds to get the response:

curl http://api.woocrypt.com/.well-known/acme-challenge/TestFile
test
1 Like

What is the actual path to that file?

1 Like

Ok... that's weird. I had to restart OpenLiteSpeed but...

/usr/local/lsws/WooCrypt/html/.well-known/acme-challenge/TestFile

OK, its faster now :slight_smile:

1 Like

Try:
certbot certonly --webroot -w /usr/local/lsws/WooCrypt/html/ -d api.woocrypt.com

1 Like

Everything from /.well-known didn't exist before, i just created the folders.

1 Like

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/api.woocrypt.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/api.woocrypt.com/privkey.pem
This certificate expires on 2024-01-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Ok it works. Now i try to set these up, i'll let you know.

1 Like

I think the hitch was one of:

  • you didn't type in the webroot path correctly:
    /usr/local/lsws/WooCrypt/html/
  • certbot wasn't able to create the .well-known/acme-challenge/ path
    [unlikely; As certbot runs as root]

In any case, it should renew without fail now :slight_smile:

2 Likes

Firstly thanks, you really helped me.
Now it works perfectly on port 443 to access the next app, but if i try to access 7080 (OpenLiteSpeed WebAmin) chrome freaks out telling me it's a Dangeours malevolent site and that the certificate is invalid, not just not secure as before.
It's not a real issue but if there is a way to fix it would be nice.
Also does the same certificate works for port 4000 or do i have to create another one? There is just an express api on that but if i could run it in https would be nice too.

1 Like

Tried and it works without an issue.

Still like this but not a problem

Not sure about LiteSpeed, but if it based on Apache, try showing:
sudo apachectl -t -D DUMP_VHOSTS

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.