Describe the bug
Have been struggling with this error for two months. Earlier I had already eliminated it somehow, but I needed to reinstall the system and here it appeared again.
On the VPS that I used a long time ago, this was not the case, perhaps it is related to the security settings of the VPS provider. But not a fact, because I have already said above I fixed this problem.
Now I can’t remember how exactly I fixed it, but even when it worked, it happened only on the second try. I assume that it may be related to port knocking.
Tell us how to replicate the bug
When trying to add an SSL certificate to a domain using Lets Ecrypt, a 403 error appears. Regardless of the selected domain.
Which components are affected by this bug?
Let’s Encrypt SSL
Hestia Control Panel Version
v1.8.12
Operating system
Ubuntu 22.04 (x86_64)
Log capture
=============================
Date Time: 2024-09-12 08:26:25
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: admin
domain: hestiacp.chekigood-webpanel.ru
- aliases:
- proto: http-01
- wildcard:
==[Step 1]==
- status: 200
- nonce: 0Nvv4YSt-aO0JoPfdEkNy4WWrKBdJd3mERKgCg8TVstlEM4CQCs
- answer: HTTP/2 200
server: nginx
date: Thu, 12 Sep 2024 06:26:27 GMT
content-type: application/json
content-length: 746
cache-control: public, max-age=0, no-cache
replay-nonce: 0Nvv4YSt-aO0JoPfdEkNy4WWrKBdJd3mERKgCg8TVstlEM4CQCs
x-frame-options: DENY
strict-transport-security: max-age=604800
==[API call]==
exit status: 0
==[Step 2]==
- status: 201
- nonce: fCBw7MtQEpbbm4eTkBoEs-X5DIFdriykjqCwFiHCRLBfMT0Q_Hk
- authz: https://acme-v02.api.letsencrypt.org/acme/authz-v3/402579034836
- finalize: https://acme-v02.api.letsencrypt.org/acme/finalize/1940383076/304449143276
- payload: {“identifiers”:[{“type”:“dns”,“value”:“hestiacp.chekigood-webpanel.ru”}]}
- answer: HTTP/2 201
server: nginx
date: Thu, 12 Sep 2024 06:26:28 GMT
content-type: application/json
content-length: 356
boulder-requester: 1940383076
cache-control: public, max-age=0, no-cache
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
location: https://acme-v02.api.letsencrypt.org/acme/order/1940383076/304449143276
replay-nonce: fCBw7MtQEpbbm4eTkBoEs-X5DIFdriykjqCwFiHCRLBfMT0Q_Hk
x-frame-options: DENY
strict-transport-security: max-age=604800
{
“status”: “pending”,
“expires”: “2024-09-19T06:26:28Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “hestiacp.chekigood-webpanel.ru”
}
],
“authorizations”: [
“https://acme-v02.api.letsencrypt.org/acme/authz-v3/402579034836”
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/1940383076/304449143276”
}
order: https://acme-v02.api.letsencrypt.org/acme/order/1940383076/304449143276
==[API call]==
exit status: 0
==[Step 3]==
- status: 200
- nonce: UAMvsxnwG5hnZ6RfT6mEmqQWhhQ6Mp2933_mtctMh2Ni3wb9rtM
- url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/RHoa3g
- token: yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A
- answer: HTTP/2 200
server: nginx
date: Thu, 12 Sep 2024 06:26:29 GMT
content-type: application/json
content-length: 814
boulder-requester: 1940383076
cache-control: public, max-age=0, no-cache
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
replay-nonce: UAMvsxnwG5hnZ6RfT6mEmqQWhhQ6Mp2933_mtctMh2Ni3wb9rtM
x-frame-options: DENY
strict-transport-security: max-age=604800
{
“identifier”: {
“type”: “dns”,
“value”: “hestiacp.chekigood-webpanel.ru”
},
“status”: “pending”,
“expires”: “2024-09-19T06:26:28Z”,
“challenges”: [
{
“type”: “tls-alpn-01”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/7jw-ag”,
“status”: “pending”,
“token”: “yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A”
},
{
“type”: “dns-01”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/UHgG6A”,
“status”: “pending”,
“token”: “yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A”
},
{
“type”: “http-01”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/RHoa3g”,
“status”: “pending”,
“token”: “yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A”
}
]
}
==[API call]==
exit status: 0
==[Step 5]==
- status: 200
- url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/RHoa3g
- nonce: fCBw7MtQubvIXDdWnWDI8A_J1wO-NuKSOuXLr6AlLLwjo7QpXW0
- validation: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/RHoa3g
- details:
- answer: HTTP/2 200
server: nginx
date: Thu, 12 Sep 2024 06:26:45 GMT
content-type: application/json
content-length: 187
boulder-requester: 1940383076
cache-control: public, max-age=0, no-cache
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
link: https://acme-v02.api.letsencrypt.org/acme/authz-v3/402579034836;rel=“up”
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/RHoa3g
replay-nonce: fCBw7MtQubvIXDdWnWDI8A_J1wO-NuKSOuXLr6AlLLwjo7QpXW0
x-frame-options: DENY
strict-transport-security: max-age=604800
{
“type”: “http-01”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/RHoa3g”,
“status”: “pending”,
“token”: “yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A”
}
==[API call]==
exit status: 0
==[Step 6]==
- status: 403
- nonce: 0Nvv4YStB4KvFdw1uwnepuek1Cz5r7daPeMEyS96CKPCeHFhiGE
- payload: {“csr”:“MIIE-zCCAuMCAQAwgbUxMjAwBgkqhkiG9w0BCQEWI2luZm9AaGVzdGlhY3AuY2hla2lnb29kLXdlYnBhbmVsLnJ1MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0GA1UECgwGSGVzdGlhMQswCQYDVQQLDAJJVDEnMCUGA1UEAwweaGVzdGlhY3AuY2hla2lnb29kLXdlYnBhbmVsLnJ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzbjaLwYakKOKkDy-z6XMRuIjA7GJyympnoJmzgHdX6VqiJE7DOc-0Encp_hVh1_ggnc1hmDNMOdFTup_EuOg123C6_0iuT4ncvVcSNh_JPlWGtu-zM6pz_GDa-RB6jJWyq8KPjJ5fzhpyepy9YEfq3J0DKg2E4dCH_viMSEiLd5Nbrq648ZguwBstbinjGqoET7h4JKpNnkJymJrjzTuydxSetJMIPY3QYFk9Hg2M7aSLJWxcrasLLZ46dFf0s3Pq9ynepSF_wHYrvUQxQGAQfOYIRl9p69pWQvrDBkVJOEfEbahxaHL_-vuAULSxP64CD8kLZzfbSCsgDSkJ10XK5QNUONVVU37MSxEtQZil4m54-njzzmnchaZmcS7Xlnb8IrinUpu2WpWyOgeDlO1P58kLnJ5QYLTJjbiauwe3W7jPDTuc_b6MmZZPMYemmPLfJI9aRjxY9-SCZz5mtAzHOEJ1HaV2DNhuoC54Krxc92Yn0Z9k4qU2UUgldYsA3kPKaruoJY9LdNYonePj3oMir1casD_oYdWYi3qFABuetB8fBSR4UVTThelfm8CeveQwvPM_fgqW68KZEqfwWCQ3aWY9jPY6JhsrASBcUlxiVw0c_vtZeq8LXmp6ll12wbUfRyVFCRloVv9b2MUxjRWLekD_HyITSyFiUK_Z3YEzHECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQBZP2_vRtUyFetrbOoN1ROKOv8lvn4CgV58HCeZyS1n3tGVnIG-iPepdPBOyjB1vqQU8iYaU1WhV4OquogULpa8i46-5IggDNUJfN7ucn4SaM_37j2hFL4M-OKGU2OO1B_HDhjnqpDRE7GwKVr1XqNM_c7DTxJVE07qaCiD5p5PsHAxOyRdd7xOTVvfxA0AKvcE5Kk8W2aaOtccy-aX3WnUV2NVukbJCor_3V6BA_aT9cdp17C5s-8Y-VqVaF18jd57ejWxbMul0G4k241t87SaDfirzsjUtlhlADhEo9FYnSYr0H-32hWC9mQWSRJhXHv18FvTI1LOLSmtNOWyYhhnXi8-D7C-bhT8BID6LM9OxnHH1sa3No1BPxa3eQyXqcua0hqYRX5DU5i69J0z_ohdO_LOMGm0v22DQM_1SElkl8A1XP4GMNetvatJHsJUlxaGjbaMsI_YKbEsAegR3lACG4-KOuqdQuqzsYiFfqRlKjnR3i9FaTOCYT74vGE580ouC-fMkJ5WdDXKTFFZ6Z8jrEt627c4-NHA8e3hpniC6IyUWMehpFYIg_fz2GL0O6dLMKjm0bPsYxKrQ4FlHUyMkRRtW-Va1qowHkP8eu5QEe6ho5xw6b94jTkMov5_yhpvPBX6CbGyM2HzSk50b86BzuF0KRu0uzBni4aPQhyilg”}
- certificate:
- answer: HTTP/2 403
server: nginx
date: Thu, 12 Sep 2024 06:26:51 GMT
content-type: application/problem+json
content-length: 152
boulder-requester: 1940383076
cache-control: public, max-age=0, no-cache
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
replay-nonce: 0Nvv4YStB4KvFdw1uwnepuek1Cz5r7daPeMEyS96CKPCeHFhiGE
{
“type”: “urn:ietf:params:acme:error:orderNotReady”,
“detail”: “Order’s status ("invalid") is not acceptable for finalization”,
“status”: 403
}