I’ve just noticed that two SSL for emails have not renewed since October 
No changes has been done, but in their config I see LETSENCRYPT_FAIL_COUNT with 31 fails.
Is there any CLI command that can show me the output of an attempt of renewal?
I’ve run v-update-letsencrypt-ssl but that has no output at all.
When I check the old (from October) LE log for the domain I see this:
“type”: “urn:ietf:params:acme:error:orderNotReady”,
Is your DNS setup properly?
Have you been running
apt update
apt upgrade
on a regular basis?
I know that acme changes over time. I haven’t EVER had a LE failure that WASN’T a dns issue.
Can you verify the dns on
Do you have the
SPF
DKIM
DMARC
configured properly? I’m not sure how those all predicate ‘Mail LE Not Working’.
But in MY opinion, those are the first questions you should give answers to before we begin to know your situation.
I know that 100000% of the time I have failures, it’s because I don’t have DNS setup properly
nslookup mail.yourdomain.com
nslookup mail.yourdomain.com 8.8.8.8
nslookup mail.yourdomain.com 1.1.1.1
I don’t really do this on Linux very often. There are DOZENS of ‘Test My DNS settings’ you can google for. I’ve got spreadsheets full of tools like that.
Hi @aaronkempf ,
Thank you for your reply, but yes the DNS are okay.
I’m the only administrator here and no others have access to the DNS. The domain’s DNS have been set via Cloudflare API like all the others so that no human error can be done. All the domains have the same setup, however only 2 are failing.
As per documentation, the mail domain doesn’t have the proxy option enabled, but then again, no DNS changes have been done and the SSL renewal for the mail. domain only stopped in October while it worked before
For one of the domain I couldn’t wait anymore, so I’ve simply unticked the SSL certificate via LE saved, and then add it back and it was added without issues.
But I still need help to understand what has happened and I can leave the other domain broken for testing
Once I remove the current SSL certificate to resolve the redirect loop (between http and https) I’m able to run the lets debug test without issues
The answer should be in the logs: /var/log/hestia/LE-youruser-yourdomain.log
Anyway, apply this fix:
If you want to reset LETSENCRYPT_FAIL_COUNT:
Thanks
Hi @sahsanu, thank you
The error I see in the log you shared is the one I wrote above:
"type": "urn:ietf:params:acme:error:orderNotReady",
"detail": "Order's status (\"invalid\") is not acceptable for finalization",
I’m going to try the fix you suggested and report back
v-update-letsencrypt-ssl shows now the output, but what I see doesn’t really help. I mean it says that there’s a redirect loop error but that’s due to the fact that due to the missing SSL there’s a loop between https and http. That wouldn’t be the error during a renewal since the SSL would be valid 
what I’m trying to understand is why the renewal failed in the first place
Maybe there wasn’t any problem at all. It’s possible that Let’s Encrypt validated the domain, but Hestia finished the script before the validation was completed (this is what the patch I mentioned earlier fixes).
The only way to know what happened is by checking the logs. If you don’t have logs from the date when it wasn’t renewing, you won’t be able to determine what happened. Check if you have old logs like log.1, log.2, etc.
Unfortunately they are all the same.
Do you know if Hestia sends emails when such thing fails or when a SSL certificate is about to expire and the are troubles? If so, to which mail address do they go?
In log, in Step 5, you will see a link like this:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/002686860150/ABCDab
If you follow that link, you can view more information, including whether the domain was truly validated. These links are kept active for only a few days, so if you see a message like Expired Authorization, it means the link is old and has been removed.
v-update-letsencrypt-ssl is executed via the admin cron job using sudo, so the sender address should be [email protected], and the recipient address should be the email address defined for the admin user.
Thank you!
I have a forwarding for that address that when tested works fine. However no notification has been sent regarding this. Can you think of a way to test a notification for a failed SSL renewal?
You can test it with any cron job.
v-add-cron-job admin '*/2' '*' '*' '*' '*' "sudo echo \"This is a test\" 2>&1"
A mail should be sent every two minutes.
Note: to delete the cron job
v-list-cron-jobs admin
Take note about the job number.
v-delete-cron-job admin HereTheJobNumber
Check Exim’s log /var/log/exim4/mainlog and also you can check whether there are queued messages in Exim: exim4 -bp
I forgot to say that you should check whether there is a MAILTO variable defined in crontab for user admin:
crontab -u admin -l
Thank you for that 
Thank you, that shows that Google is blocking the email as is sent as unauthenticated. I need to figure out how to set my SMTP credentials for the crontab
Hmm no, okay, I still need help with this.
I made quite a few tests with one of the mail domains where the issue occurs (I found another one). The SSL is there properly and it is not expired, however the SMTP login for the mail users for that domain isn’t working, as soon as you untick the SSL and then issued it again then all works fine.
I’m able to replicate this in Roundcube too, the login fails with the following error:
[14-Dec-2024 09:38:48 +0000]: <6qa0i6pb> IMAP Error: Login failed for test against localhost from 123.123.123.123 (X-Forwarded-For: 123.123.123.123). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
Also,
openssl s_client -connect my.cool.smtp :465 -crlf
works fine on a different mail domain (the one I’ve fixed by reinstalling the SSL) but in the one I’m testing now it just hangs
Could you please share the actual domain? If you don’t want to share it publicly you can send me a private message,
Hey @sahsanu, I’ve mistakenly fixed the last test domain so I’m afraid I will have to accept the fact that I will never know why all this happened. Thank you for offering to help though!
I’ll look online how I can set exim to use SMTP credentials to send emails so that I will receive new emails from the crontab