<your.domain> is inaccessible, please verify!

Help
1

I am documenting my 'fix' I am not sure if this will help anyone else but maybe.

The domain you put is: org.equalation.org
Please verify it is correct. [y/N] y

Domain has been added into OpenLiteSpeed listener.

Do you wish to issue a Let's encrypt certificate for this domain? [y/N] y
org.equalation.org is inaccessible, please verify!

I BELIEVE the issue above is that we are trying to assign a certificate against port 443 (level 7) or said another way we are talking about ip6 addresses not ip4. So I have an IPv4 address but to serve HTTPS I need something listening on socket 443 or in other words "IPv6" because that is where we listen for HTTPS traffic, and I believe that is the "inaccessible" port that is being referenced.

IF I am correct it would be helpful to make it clearer that ":443 is not accessible" or some other guidance in the error message.

How to Enable IPv6 on Droplets :: DigitalOcean Documentation

By carefully following the instructions described above including modification to the referenced yaml file I was able to get the green '[OK] <your.domain> is accessible.' which was an awesome feeling. :slight_smile:

Anyway I Hope this might help. Or maybe someone more knowledgeable in the subject (Likely almost everyone) can more fully develop this discussion.

My domain is: org.equalation.org (yes I do prefix and suffix with org)

I ran this command: I confirmed (y) that I wanted issue a Let's encrypt certificate for this domain.

It produced this output: "org.equalation.org is inaccessible, please verify!"

My web server is (include version): Ubuntu 20

The operating system my web server runs on is (include version): Running on Digital Ocean Droplet

My hosting provider, if applicable, is: Digital Ocean

2

First of all, you don't necessarily require IPv6 for a Let's Encrypt certificate.
From what i see, your hostname is a subdomain and running OpenLiteSpeed NodeJS and a reverse search lead me to a DO Image.

Instead of the quick setup which gives no useful information, Can you try to run the HTTPS setup in this guide?

When in step 3, try to see if you have any issues this time. If you do, please respond with the error information and detailed log (basically, all output of certbot program).

2 Likes
3

As @stevenzhu said, IPv6 is not required for a Let's Encrypt certificate, but your current DNS configuration does list an IPv6 record (2604:a880:800:10::ad:a001) for your domain name. If an IPv6 address is listed in DNS, Let's Encrypt may use it in testing your control over a domain name (and the pre-issuance check in the software you're using may require it to be available, which seems to be the problem you ran into).

I think the IPv6 issue may be a fruitful one to look at here. However, you said you were able to get it working, but I currently see IPv4 accessible and IPv6 inaccessible on your site, so I'm not sure that you've really found a complete and permanent solution.

2 Likes
4

@stevenzhu I have attempted to follow the setup per the guide you have graciously provided,

All fantastic stuff, if it works. problem is I tried above on my site, nothing happened when I called port 7080. I then attempted several fresh droplet generations, each slightly different in an attempt to get one to work and none of them resulted in a success.

1.) I go to this site below, and I click the button "Create OpenLiteSpeed NodeJS".
Node.js | Images | Cloud | LiteSpeed Documentation (litespeedtech.com)

2.) I select "Basic" "Regular CPU" (the $5/mo Plan)
3.) I select IPv6 (now I am getting advanced).
4.) I am using an SSH Key to access.
5.) CLICK CREATE Droplet BAR and let Digital Ocean build the droplet.
6.) Using SSH from PowerShell I login From root@<IP_Address>
7.) Now here is a point where there is ambiguity. The Digital Ocean Market Place App for "OpenLiteSpeed NodeJS" states clearly that certbot is included with the standard droplet configuration. I a not clear about the one offered in the link above but I assume it does because it also Initiates the Let's Encrypt app so I am assuming this means the certbot is working. The issues is that in the instructions above there is no indication that assigning domain names is required.

So I go through the domain name and confimrations... and result in "domain is inaccessible" (here I would be surprised if it did find the domain. Because I have not set it up yet.

So now I go back to my Domain and translate the IPv4 and IPv6 addresses (which in Digital Ocean is really easy).

RETRY 6. and 7.) This time at least I get the [OK] accessible note, Great! the request for certificate still fails, and I still am not getting HTTPS.

I have HTTPS working on my site, that is all I really wanted. If I don't need IPv6 to get HTTPS then I don't need IPv6 and nor does anyone really. I stand by what I said, I think the instructions at least solved the problem that I was having and in most of the attempts made following these new instructions.

Step 2. Add Domain to Listener

Navigate to OpenLiteSpeed Web Server WebAdmin > Listeners , and add Your Domain to HTTP/HTTPS.

MESSAGE RESULTING FROM ATTEMPTING TO USE THE INSTRUCTIONS You pointed to.
##############################################################
Using the webroot path /usr/local/lsws/Example/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. equalation.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://equalation.org/.well-known/acme-challenge/CdNV0y5HTNo65FM4Hamu0CDWk1bwzdd1vdj2a-GhnJA: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: equalation.org
    Type: connection
    Detail: Fetching
    http://equalation.org/.well-known/acme-challenge/CdNV0y5HTNo65FM4Hamu0CDWk1bwzdd1vdj2a-GhnJA:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
    Oops, something went wrong...
    ####################################################################
    If there is a log file that certbot generates I have not been able to find it. Please share full path of this log and I will share. But I am all but certain that anyone on the planet can follow the steps that I did and get the same result.

Steve

5

GOOD NEWS!!! Because you all don't really care about HOW I got this to work but that I got this to work AND I know what I needed to KNOW BUT YOU are NOT TOLD in the INSTRUCTIONS.

******************************************* THIS IS WHAT I LEARNED **********************************
IMMEDIATLY After your droplet is finished being constructed (BEFORE you login as root).
Configure BOTH your <domain-name.bla> & <www.domain-name.bla> in you project (see you domain-name in the control panel). This is where you assign the IPv4 to the A domain-name.bla (Digital Ocean actually makes this easy because you select the drop you want to attach to the domain-name.bla. If you checked IPv6 box in the drop setup then add the AAAA Names for the domain-name.bla and again select the drop and DO will plug in the correct IPv6 address.
**************************** DO THESE Steps BEFORE Logging into the site ******************************

I cannot promise it will work the first or second time. I think the domain name references get confused and it takes some time to change the tables and I expect this may have been causing some of my difficulties.

*** BELOW Is a continuation of my Narrative I pushed the HAPPY RESULT Up to the Top because that is what you probably want to see ****

So, after going through the above, exercise, it appears that I may have broken my working HTTPS site.

So I deleted ALL of my Drops and started fresh within my project. Good News is I learned a thing or two. Using the Market Place Create OpenLiteSpeed image (or whatever they call these things we start from). I was sucessful in getting My Let's Encrypt certificate. This still did not result in a working HTTPS, but thankfully I read the additional

Node.js | Images | Cloud | LiteSpeed Documentation (litespeedtech.com)
Where OPTIONAL but RECOMMENDED (emphasis mine) it says to do this...

sudo apt-get update && sudo apt-get upgrade -y

And that appeared to make the difference.

I have no explanation as to why these steps did not produce the same result, although I will say that it likely had to do with having only one drop in my project and this greatly reduced the potential or me to confuse the drops (I don't happen to believe that this explains it).

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.