Enabling SSL with Let's Encrypt failing for mail domains

Hello all,

Been racking my brain about this for several days now, reading all related posts on this forum and also a lot of other resources but to no avail.

I’ve set up a new user then an email domain. I’ve set up all DNS records properly including A records for mail. and webmail. pointing without CloudFlare proxy to the server’s ip. But when I try to enable SSL for the domain it takes a long time and eventually fails with the following error:

Error: Let’s Encrypt validation status 400 (mail.-domain-). Details: 403:“-server ip-: Invalid response from http://webmail.-domain-/.well-known/acme-challenge/Y-VzQpR2Ha28gEbN8sjmTge9c9f7R6hTCIE07msZJjM: 404”

When I look at the nginx config file for the mail domain (nginx.conf_letsencrypt) I see the following:

location ~ “^/.well-known/acme-challenge/([-_A-Za-z0-9]+)$” {
default_type text/plain;
return 200 “$1.-WRzCRJDkO_YmHSjfAI8nb_nZB6_GSnc_TWybvtXFRI”;
}

It seems like the verification URI doesn’t match with the one in the original challenge. I’ve tried this multiple times and in hestia, on every attempt there’s a new token failing, but the one in the nginx config always stays the same, could this be the issue?

Also, when I run:
grep -R ‘\smail.-domain-’ /etc/nginx/

I get only the following:
/etc/nginx/conf.d/domains/webmail.-domain-.conf: server_name webmail.-domain- mail.-domain-;

Which seems to look ok to me.

Any ideas how to solve this?

Thanks a lot in advance!

Hi,

When debugging these issues is helpful to known the actual domain name.

Could you please show the output of these commands? Replace YourUser YourDomain with the actual user and domain.

cat /home/YourUser/conf/mail/YourDomain/nginx.conf_letsencrypt
v-delete-mail-domain-ssl YourUser YourDomain
v-add-letsencrypt-domain YourUser YourDomain '' yes
cat /home/YourUser/conf/mail/YourDomain/nginx.conf_letsencrypt

Remove Let’s Encrypt account conf and try again:

rm /usr/local/hestia/data/users/shumaatzmit/ssl/le.conf
v-add-letsencrypt-domain shumaatzmit shuma-atzmit.co.il '' yes
cat /home/shumaatzmit/conf/mail/shuma-atzmit.co.il/nginx.conf_letsencrypt

Show the output of these commands:

nginx -t
systemctl status nginx --no-pager -l
systemctl restart nginx
systemctl status nginx --no-pager -l

Ok, now the output of this command because it looks like you could have two or more server_name directives using mail.shuma-atzmit.co.il

grep -R 'server_name.*mail.shuma-atzmit.co.il' /etc/nginx/

Ok, that doesn’t make sense. Show the config file.

cat /etc/nginx/conf.d/domains/webmail.shuma-atzmit.co.il.conf

When you paste code here, select the text and Ctrl-E or click on button </> to format it correctly.

That’s not what you should have, you must have root /var/lib/roundcube; so I’m wondering what happened.

Could you please rebuild the mail domain and check if the root has changed with the correct value?

v-rebuild-mail-domain shumaatzmit shuma-atzmit.co.il yes

It has not changed, command went through without errors but still shows “root /var/www/html;”

I’m not sure because I started this server like 2 weeks ago by now, but it’s possible that I ran the initial hestia installation without webmail support. Could it be related?

Try to install roundcube:

v-add-sys-roundcube

Seems to already be installed:

Error: Installed version (1.6.11) is equal to the available version (1.6.11)

Show this:

v-list-sys-config json | grep MAIL

That looks fine, so I have no idea why it is not using the right template to build the mail/webmail Nginx config

Should I change it manually to /var/lib/roundcube? Or will it get overwritten?

When rebuilding the mail domain it will be overwritten.

grep include /etc/nginx/nginx.conf