Critical issue with LetsEncrypt ssl renew

The “Log” could cause false results but I prefer to happen that then no logging :slight_smile:

Hello everyone. I also have a build of Nginx + php-fpm. I did check yesterday new version (1.32) and see the error again. The sites use prestashop. I changed WP template in Prestashop (nginx). Also experimented with creating the .well-known/acme-challenge/ folder. But it did not help. Now I solve the problem like this. I switch the template to default, get the certificate, switch the template to prestashop. But this is not convenient. Thanks if you have any ideas.
P/S I received mail like this “Error: Let’s Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending” But I’m not idea what domains have got that error.

1 Like

Hello,

I am also having this critical issue. I installed the update listed here, but still the same issue:
Error: Let's Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending.

Here is the LE log from one of the domains:

=============================
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: eaglescoots
domain: beta.eaglescoots.com


- aliases: 
- proto: http-01
- wildcard: 


==[Step 1]==
- status: 200
- nonce: 0003d4-bpyF-oDl-nHdcvbdmRcMx1U9L8sCiz-3gODeUXCY
- answer: HTTP/2 200 
server: nginx
date: Tue, 29 Dec 2020 13:08:32 GMT
content-type: application/json
content-length: 658
cache-control: public, max-age=0, no-cache
replay-nonce: 0003d4-bpyF-oDl-nHdcvbdmRcMx1U9L8sCiz-3gODeUXCY
x-frame-options: DENY
strict-transport-security: max-age=604800


==[API call]==
exit status: 0


==[Step 2]==
- status: 201
- nonce: 0104B8p3HwGNkwYXqAS2RbALEkCK7rnlvzS3ha_6jNgrsSk
- authz: https://acme-v02.api.letsencrypt.org/acme/authz-v3/9666547816
- finalize: https://acme-v02.api.letsencrypt.org/acme/finalize/98525425/7008687726
- payload: {"identifiers":[{"type":"dns","value":"beta.eaglescoots.com"}]}
- answer: HTTP/2 201 
server: nginx
date: Tue, 29 Dec 2020 13:08:32 GMT
content-type: application/json
content-length: 350
boulder-requester: 98525425
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/98525425/7008687726
replay-nonce: 0104B8p3HwGNkwYXqAS2RbALEkCK7rnlvzS3ha_6jNgrsSk
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "status": "pending",
  "expires": "2021-01-05T13:08:32.867098543Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "beta.eaglescoots.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/9666547816"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/98525425/7008687726"
}


==[API call]==
exit status: 0


==[Step 3]==
- status: 200
- nonce: 0104HnnQsIIsBabgO6x9dmZ_U1S7LB5G0EEESIDugj-bcN8
- url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/9666547816/511W1A
- token: cctjTbbiSTVMt4fSiUryUhKgZkm0j2Uk-Ej3G3j8qzo
- answer: HTTP/2 200 
server: nginx
date: Tue, 29 Dec 2020 13:08:33 GMT
content-type: application/json
content-length: 798
boulder-requester: 98525425
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0104HnnQsIIsBabgO6x9dmZ_U1S7LB5G0EEESIDugj-bcN8
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "beta.eaglescoots.com"
  },
  "status": "pending",
  "expires": "2021-01-05T13:08:32Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/9666547816/511W1A",
      "token": "cctjTbbiSTVMt4fSiUryUhKgZkm0j2Uk-Ej3G3j8qzo"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/9666547816/ZsgTCg",
      "token": "cctjTbbiSTVMt4fSiUryUhKgZkm0j2Uk-Ej3G3j8qzo"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/9666547816/6iiJBQ",
      "token": "cctjTbbiSTVMt4fSiUryUhKgZkm0j2Uk-Ej3G3j8qzo"
    }
  ]
}


==[API call]==
exit status: 0


==[Step 5]==
- status: 200
- nonce: 0104wDE1BN0rgD1bfnbEzzew0ZHRhz_0sFSh9VB7KE68WEU
- validation: pending
- details: 
- answer: HTTP/2 200 
server: nginx
date: Tue, 29 Dec 2020 13:08:39 GMT
content-type: application/json
content-length: 185
boulder-requester: 98525425
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
link: <https://acme-v02.api.letsencrypt.org/acme/authz-v3/9666547816>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/9666547816/511W1A
replay-nonce: 0104wDE1BN0rgD1bfnbEzzew0ZHRhz_0sFSh9VB7KE68WEU
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/9666547816/511W1A",
  "token": "cctjTbbiSTVMt4fSiUryUhKgZkm0j2Uk-Ej3G3j8qzo"
}


==[API call]==
exit status: 0


==[Step 5]==
- status: 400
- nonce: 01036Ln1YBbQgQRXgyc7rbCYVGrwEI62HMei4o5CWQIIKsI
- validation: 
- details: Unable to update challenge :: authorization must be pending
- answer: HTTP/2 400 
server: nginx
date: Tue, 29 Dec 2020 13:08:44 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 98525425
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 01036Ln1YBbQgQRXgyc7rbCYVGrwEI62HMei4o5CWQIIKsI

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}


==[Abort Step 5]==
=> Wrong status

I can’t access the admin panel (HSTS), as all my certificates were generated on the same day (I migrated from another host). I run this host for months with same domains, so the SSL should not be an issue. I am nearly sure all of them regenerated their certs at least once. And yes, I am using cloudflare.

Try disabling force ssl

v-delete-web-domain-ssl-force user domain.com

Then run the command v-update-letsencrypt

And then wait for any result

Can I do that for all domains? I host around 20 there, so it will take a long time to disable them all. I tried to disable the domain used by admin panel (with user admin) and then regen them, it did not help.

OK, found the domains with issues in the error.log and disabled their force of SSL, now I am ending on
Error: Let's Encrypt new auth status 429

I found it’s a ratelimiting issue. So we will see.

There is currently no command to disable v-delete-web-domain-ssl-force for all domains.

Make sure SSL/TLS is Off (not secure)

It is an pain to debug this propperly as Couldflare adds an aditinonal layer that we can’t control…

OK,

I got it run without any error, but my admin domain still uses invalid SSL and because of HSTS I can’t access the amin panel, I tried disabled the force ssl for the admin domain, but no help.

If I try to add the host again, I end on an error:

root@hosting:~# v-add-letsencrypt-host
CN = hosting.kompletniweb.cz
error 10 at 0 depth lookup: certificate has expired

Any idea, how to get the admin access and regen the SSL? The admin domain is not behind CF.

Create a self signed one and replace or move the existing one under $HESTA/ssl. Then restart the hestia service with systemctl restart hestia.

Alternativ to prevent the hsts error, access the server over ip.

1 Like

It’s also worth noting that HSTS is cached in the browser. So it can be cleared. Here’s an example for Chrome.

https://msutexas.edu/library/clearhsts.php

2 Likes

IP access was a genius idea. No the first time working with webserver and this trick is well known. I am sorry for completely forgetting about it :slight_smile:

Cert regenerated, HSTS disabled. Thanks!

1 Like

So the problems with auto-renewal of certificates for nginx prestashop config continue. The only working solution is to install the default config and then the update works. Can the script creator make changes to the certificate renewal script? I suggest that the certificate renewal script remember the current template before renewing. then set the default template. And after the update, ssl returned the previously installed template.