I’ve 3 SANs with same domain (2 subs and main) getting error renewing it :
Nginx + php-fpm
root@server:~# v-update-letsencrypt-ssl
Error: Let's Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending
Error: Let's Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending
Error: Let's Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending
We will ship a new hestia version today, it is currently in the last testing phase - which is update our own productive infrastructure.
This version ships a slightly reworked let’s encrypt engine due to issues with cloudflare in combination with 301 forwardings, you can already install it with the following commands:
root@server:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@server:~# nginx -s reload
root@server:~#
root@server:~# systemctl reload nginx && systemctl status nginx -l
● nginx.service - nginx - high performance web server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2020-12-08 04:33:54 UTC; 1 weeks 0 days ago
Docs: http://nginx.org/en/docs/
Process: 426196 ExecReload=/bin/kill -s HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 3765414 (nginx)
Tasks: 7 (limit: 3488)
Memory: 95.8M
CGroup: /system.slice/nginx.service
├─ 167195 nginx: worker process is shutting down
├─ 424038 nginx: worker process is shutting down
├─ 426188 nginx: worker process
├─ 426189 nginx: worker process
├─ 426190 nginx: worker process
├─ 426191 nginx: cache manager process
└─3765414 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
Dec 15 09:54:02 server.domain.com systemd[1]: Reloading nginx - high performance web server.
Dec 15 09:54:02 server.domain.com systemd[1]: Reloaded nginx - high performance web server.
Dec 15 10:18:08 server.domain.com systemd[1]: Reloading nginx - high performance web server.
Dec 15 10:18:08 server.domain.com systemd[1]: Reloaded nginx - high performance web server.
Dec 15 10:18:43 server.domain.com systemd[1]: Reloading nginx - high performance web server.
Dec 15 10:18:43 server.domain.com systemd[1]: Reloaded nginx - high performance web server.
Dec 15 10:18:58 server.domain.com systemd[1]: Reloading nginx - high performance web server.
Dec 15 10:18:58 server.domain.com systemd[1]: Reloaded nginx - high performance web server.
Dec 15 10:19:16 server.domain.com systemd[1]: Reloading nginx - high performance web server.
Dec 15 10:19:16 server.domain.com systemd[1]: Reloaded nginx - high performance web server.
Error 400 means that LE cannot verify the challange key (.well-known/acme-challange/…)
and this can happen because of the dns (TTL caching) or wrong response from the webserver
(primary domain and also all the aliases)
Test DNS : you can check with dig @8.8.8.8 <domain.tld>
Test WEB:
1- service nginx configtest
2- systemctl restart nginx
3- curl --location --insecure --verbose --resolve <domain.tld>:80:<server-ip-from-dig> http://<domain.tld>:80/.well-known/acme-challenge/123
Using hsts and auto redirect for all my domains, also auto redirect was set prior as default, but has been reverted because it got auto enabled on renewal also for users that disabled the redirect.
There seems to be some system specific issues, maybe you can follow the inputs @Lupu gave and try a manual curl check.
No, i didnt missed that. That’s why I wrote that I use this settings aswell. So please turn them back on and provide us more informations with a manual curl check. I dont have any system that produces issues, basicly we all not have one, otherwise we would be able to debug the issue (if it would be reproducable).
Server updated to hestia 1.3.2 a day or so ago, and I received a Letsencrypt error. Server is using Cloudflare proxy, which rang a bell, so I thought I’d mention it here. The error message emailed to me was Error: Let’s Encrypt finalize bad status 500
And thanks to the recent addition of fantastically detailed logs I was able to get this as the last entry in my log directory. /var/log/hestia/LE-user-domain.com-date-time.log
The internal LE certificate is set to expire on Jan 16th, which is why the renewal was triggered. However the Cloudflare cert on the proxy is still good until July. I actually don’t mind turning off Cloudflare proxy on this site, but would like to help with the resolution if I can. Let me know what information I can provide. I’m OK with sending you the whole LE log by email / PM, but don’t want to make it public for obvious reasons.
I tried the curl command above (nice trick with the --resolve flag, must remember that), and it gave the correct response of 123.aosidfasidufpawhatever. As I read the logs, it seems the problem was when communicating back to LE servers? Anyway, will investigate a little more on this end. Work has been slow recently …
OK, so I did some detective work and it seems that LE error is often due to some sort of server glitch at Letsencrypt. So I thought I’d run the command manually v-update-letsencrypt-ssl domain.com
This time there were no errors in /var/log/hestia/error.log
And the certificate was renewed successfully