I used to be doing the 80 to 443 redirect using just one file for nginx serverwide, containing;
server {
listen 80 default;
listen [::]:80 default;
include header;
return 308 https://$host$request_uri;
}
I think that may be easier/better than putting redirects inside server/domain conf files.
Either way, I don’t know why yet, but in order to get the (web)mail domain certs, I have to disable HSTS and the https redirect, because if I don’t it says:
# v-update-letsencrypt-ssl
Error: Let's Encrypt validation status 400 (mail.some.site). Details: 400:"86.x.x.x: Fetching https://webmail.some.site/.well-known/acme-challenge/tDmFy9J4UUNcuCEXM36VZnRRZQ_QS5Sr2PnG9WOB2uA: Timeout during connect (likely firewall problem)"
firewall it is not it, and no geo-ip blocking or anything. The hestia error.log says:
2023-04-29 10:45:55 v-add-letsencrypt-domain 'userx' 'some.site' '' 'yes' [Error 15]
2023-04-29 10:45:55 v-update-letsencrypt-ssl some.site Error: Let's Encrypt validation status 400 (mail.some.site). Details: 400:"86.x.x.x: Fetching https://webmail.some.site/.well-known/acme-challenge/AZWAzVVkF1vEdE2WdQ0hjp95fR4aEgZSM5UHFlBld1Q: Timeout during connect (likely firewall problem)" [Error 2]
and this next LE log shows me something useful. Because IPv6 is disabled for my server (see earlier forum posts…), since hestia does not support it (yet). By the way, I really think you should mention this in ALL CAPS before people install hestia, it’s crucial for networking (and cert reliability, obviously). The “addressUsed” entries are for an ipv6 address, for random names!
==[Debug information Step 5]==
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "86.x.x.x: Fetching https://webmail.some.site/.well-known/acme-challenge/xQ0z22FdSi0ZoVp4ZJlvkpaBhtMXUGEd4ip9I2-xETQ: Timeout during connect (likely firewall problem)",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/223336416667/Xwuu1w",
"token": "xQ0z22FdSi0ZoVp4ZJlvkpaBhtMXUGEd4ip9I2-xETQ",
"validationRecord": [
{
"url": "http://mail.some.site/.well-known/acme-challenge/xQ0z22FdSi0ZoVp4ZJlvkpaBhtMXUGEd4ip9I2-xETQ",
"hostname": "mail.some.site",
"port": "80",
"addressesResolved": [
"86.x.x.x",
"2a02:xxxx:xxxx:xxxx::1"
],
"addressUsed": "2a02:xxxx:xxxx:xxxx::1"
},
{
"url": "http://mail.some.site/.well-known/acme-challenge/xQ0z22FdSi0ZoVp4ZJlvkpaBhtMXUGEd4ip9I2-xETQ",
"hostname": "mail.some.site",
"port": "80",
"addressesResolved": [
"86.x.x.x",
"2a02:xxxx:xxxx:xxxx::1"
],
"addressUsed": "86.x.x.x"
},
{
"url": "https://webmail.some.site/.well-known/acme-challenge/xQ0z22FdSi0ZoVp4ZJlvkpaBhtMXUGEd4ip9I2-xETQ",
"hostname": "webmail.some.site",
"port": "443",
"addressesResolved": [
"86.x.x.x",
"2a02:xxxx:xxxx:xxxx::1"
],
"addressUsed": "2a02:xxxx:xxxx:xxxx::1"
}
],
"validated": "2023-04-29T03:04:36Z"
}
==[Abort Step 5]==
=> Wrong status