Error during SSL certificate issuance: Let's Encrypt finalize bad status 403

Describe the bug

Have been struggling with this error for two months. Earlier I had already eliminated it somehow, but I needed to reinstall the system and here it appeared again.
On the VPS that I used a long time ago, this was not the case, perhaps it is related to the security settings of the VPS provider. But not a fact, because I have already said above I fixed this problem.
Now I can’t remember how exactly I fixed it, but even when it worked, it happened only on the second try. I assume that it may be related to port knocking.

Tell us how to replicate the bug

When trying to add an SSL certificate to a domain using Lets Ecrypt, a 403 error appears. Regardless of the selected domain.

Which components are affected by this bug?

Let’s Encrypt SSL

Hestia Control Panel Version

v1.8.12

Operating system

Ubuntu 22.04 (x86_64)

Log capture

=============================
Date Time: 2024-09-12 08:26:25
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: admin
domain: hestiacp.chekigood-webpanel.ru

  • aliases:
  • proto: http-01
  • wildcard:

==[Step 1]==

  • status: 200
  • nonce: 0Nvv4YSt-aO0JoPfdEkNy4WWrKBdJd3mERKgCg8TVstlEM4CQCs
  • answer: HTTP/2 200
    server: nginx
    date: Thu, 12 Sep 2024 06:26:27 GMT
    content-type: application/json
    content-length: 746
    cache-control: public, max-age=0, no-cache
    replay-nonce: 0Nvv4YSt-aO0JoPfdEkNy4WWrKBdJd3mERKgCg8TVstlEM4CQCs
    x-frame-options: DENY
    strict-transport-security: max-age=604800

==[API call]==
exit status: 0

==[Step 2]==

{
“status”: “pending”,
“expires”: “2024-09-19T06:26:28Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “hestiacp.chekigood-webpanel.ru
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz-v3/402579034836
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/1940383076/304449143276
}
order: https://acme-v02.api.letsencrypt.org/acme/order/1940383076/304449143276

==[API call]==
exit status: 0

==[Step 3]==

  • status: 200
  • nonce: UAMvsxnwG5hnZ6RfT6mEmqQWhhQ6Mp2933_mtctMh2Ni3wb9rtM
  • url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/RHoa3g
  • token: yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A
  • answer: HTTP/2 200
    server: nginx
    date: Thu, 12 Sep 2024 06:26:29 GMT
    content-type: application/json
    content-length: 814
    boulder-requester: 1940383076
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
    replay-nonce: UAMvsxnwG5hnZ6RfT6mEmqQWhhQ6Mp2933_mtctMh2Ni3wb9rtM
    x-frame-options: DENY
    strict-transport-security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “hestiacp.chekigood-webpanel.ru
},
“status”: “pending”,
“expires”: “2024-09-19T06:26:28Z”,
“challenges”: [
{
“type”: “tls-alpn-01”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/7jw-ag”,
“status”: “pending”,
“token”: “yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A”
},
{
“type”: “dns-01”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/UHgG6A”,
“status”: “pending”,
“token”: “yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A”
},
{
“type”: “http-01”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/RHoa3g”,
“status”: “pending”,
“token”: “yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A”
}
]
}

==[API call]==
exit status: 0

==[Step 5]==

{
“type”: “http-01”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/402579034836/RHoa3g”,
“status”: “pending”,
“token”: “yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A”
}

==[API call]==
exit status: 0

==[Step 6]==

  • status: 403
  • nonce: 0Nvv4YStB4KvFdw1uwnepuek1Cz5r7daPeMEyS96CKPCeHFhiGE
  • payload: {“csr”:“MIIE-zCCAuMCAQAwgbUxMjAwBgkqhkiG9w0BCQEWI2luZm9AaGVzdGlhY3AuY2hla2lnb29kLXdlYnBhbmVsLnJ1MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0GA1UECgwGSGVzdGlhMQswCQYDVQQLDAJJVDEnMCUGA1UEAwweaGVzdGlhY3AuY2hla2lnb29kLXdlYnBhbmVsLnJ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzbjaLwYakKOKkDy-z6XMRuIjA7GJyympnoJmzgHdX6VqiJE7DOc-0Encp_hVh1_ggnc1hmDNMOdFTup_EuOg123C6_0iuT4ncvVcSNh_JPlWGtu-zM6pz_GDa-RB6jJWyq8KPjJ5fzhpyepy9YEfq3J0DKg2E4dCH_viMSEiLd5Nbrq648ZguwBstbinjGqoET7h4JKpNnkJymJrjzTuydxSetJMIPY3QYFk9Hg2M7aSLJWxcrasLLZ46dFf0s3Pq9ynepSF_wHYrvUQxQGAQfOYIRl9p69pWQvrDBkVJOEfEbahxaHL_-vuAULSxP64CD8kLZzfbSCsgDSkJ10XK5QNUONVVU37MSxEtQZil4m54-njzzmnchaZmcS7Xlnb8IrinUpu2WpWyOgeDlO1P58kLnJ5QYLTJjbiauwe3W7jPDTuc_b6MmZZPMYemmPLfJI9aRjxY9-SCZz5mtAzHOEJ1HaV2DNhuoC54Krxc92Yn0Z9k4qU2UUgldYsA3kPKaruoJY9LdNYonePj3oMir1casD_oYdWYi3qFABuetB8fBSR4UVTThelfm8CeveQwvPM_fgqW68KZEqfwWCQ3aWY9jPY6JhsrASBcUlxiVw0c_vtZeq8LXmp6ll12wbUfRyVFCRloVv9b2MUxjRWLekD_HyITSyFiUK_Z3YEzHECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQBZP2_vRtUyFetrbOoN1ROKOv8lvn4CgV58HCeZyS1n3tGVnIG-iPepdPBOyjB1vqQU8iYaU1WhV4OquogULpa8i46-5IggDNUJfN7ucn4SaM_37j2hFL4M-OKGU2OO1B_HDhjnqpDRE7GwKVr1XqNM_c7DTxJVE07qaCiD5p5PsHAxOyRdd7xOTVvfxA0AKvcE5Kk8W2aaOtccy-aX3WnUV2NVukbJCor_3V6BA_aT9cdp17C5s-8Y-VqVaF18jd57ejWxbMul0G4k241t87SaDfirzsjUtlhlADhEo9FYnSYr0H-32hWC9mQWSRJhXHv18FvTI1LOLSmtNOWyYhhnXi8-D7C-bhT8BID6LM9OxnHH1sa3No1BPxa3eQyXqcua0hqYRX5DU5i69J0z_ohdO_LOMGm0v22DQM_1SElkl8A1XP4GMNetvatJHsJUlxaGjbaMsI_YKbEsAegR3lACG4-KOuqdQuqzsYiFfqRlKjnR3i9FaTOCYT74vGE580ouC-fMkJ5WdDXKTFFZ6Z8jrEt627c4-NHA8e3hpniC6IyUWMehpFYIg_fz2GL0O6dLMKjm0bPsYxKrQ4FlHUyMkRRtW-Va1qowHkP8eu5QEe6ho5xw6b94jTkMov5_yhpvPBX6CbGyM2HzSk50b86BzuF0KRu0uzBni4aPQhyilg”}
  • certificate:
  • answer: HTTP/2 403
    server: nginx
    date: Thu, 12 Sep 2024 06:26:51 GMT
    content-type: application/problem+json
    content-length: 152
    boulder-requester: 1940383076
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
    replay-nonce: 0Nvv4YStB4KvFdw1uwnepuek1Cz5r7daPeMEyS96CKPCeHFhiGE

{
“type”: “urn:ietf:params:acme:error:orderNotReady”,
“detail”: “Order’s status ("invalid") is not acceptable for finalization”,
“status”: 403
}

Well, your server denied my connection on port 80 from one machine and allowed it from another one so it is filtering inbound connections, maybe by country.

As long as you didn’t filter these countries (USA, Sweden and Singapore) you should be fine.

Checking your log, the problem is not a dropped connection but a 404 error:

"185.196.11.28: Invalid response from http://hestiacp.chekigood-webpanel.ru/.well-known/acme-challenge/yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A: 404"

So Let’s Encrypt is trying to validate your domain using this url http://hestiacp.chekigood-webpanel.ru/.well-known/acme-challenge/yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A but your server returns a 404 error.

Show the output of this command:

cat /home/*/conf/web/hestiacp.chekigood-webpanel.ru/nginx.conf_letsencrypt

If you see something like this:

location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
    default_type text/plain;
    return 200 "$1.A-xkMYPmZ80BaNWaP8cikYh9Nu-fvCCWofNFvYqvIOo";
}

then show the nginx.conf:

cat /home/*/conf/web/hestiacp.chekigood-webpanel.ru/nginx.conf
<user>@hestiacp:/var/log/hestia# cat /home/*/conf/web/hestiacp.chekigood-webpanel.ru/nginx.conf_letsencrypt
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
    default_type text/plain;
    return 200 "$1.HM2iAmk2b37rHwT8tjmWqYzsUfeWbw0iMw2Hbnpv5UY";
}
<user>@hestiacp:/var/log/hestia# cat /home/*/conf/web/hestiacp.chekigood-webpanel.ru/nginx.conf
#=========================================================================#
# Default Web Domain Template                                             #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS   #
# https://hestiacp.com/docs/server-administration/web-templates.html      #
#=========================================================================#

server {
        listen      185.196.11.28:80;
        server_name hestiacp.chekigood-webpanel.ru ;
        error_log   /var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.error.log error;

        include /home/admin/conf/web/hestiacp.chekigood-webpanel.ru/nginx.forcessl.conf*;

        location ~ /\.(?!well-known\/|file) {
                deny all;
                return 404;
        }

        location / {
                proxy_pass http://185.196.11.28:8080;

                location ~* ^.+\.(css|htm|html|js|json|xml|apng|avif|bmp|cur|gif|ico|jfif|jpg|jpeg|pjp|pjpeg|png|svg|tif|tiff|webp|aac|caf|flac|m4a|midi|mp3|ogg|opus|wav|3gp|av1|avi|m4v|mkv|mov|mpg|mpeg|mp4|mp4v|webm|otf|ttf|woff|woff2|doc|docx|odf|odp|ods|odt|pdf|ppt|pptx|rtf|txt|xls|xlsx|7z|bz2|gz|rar|tar|tgz|zip|apk|appx|bin|dmg|exe|img|iso|jar|msi|webmanifest)$ {
                        try_files  $uri @fallback;

                        root       /home/admin/web/hestiacp.chekigood-webpanel.ru/public_html;
                        access_log /var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log combined;
                        access_log /var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.bytes bytes;

                        expires    max;
                }
        }

        location @fallback {
                proxy_pass http://185.196.11.28:8080;
        }

        location /error/ {
                alias /home/admin/web/hestiacp.chekigood-webpanel.ru/document_errors/;
        }

        include /home/admin/conf/web/hestiacp.chekigood-webpanel.ru/nginx.conf_*;
}

Above include should load nginx.conf_letsencrypt so I can’t see any obvious problem.

ls -l /etc/nginx/conf.d/domains/hestiacp.chekigood-webpanel.ru.conf
nginx -t
systemctl restart nginx
grep 'acme-challenge' /var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.*
root@hestiacp:/var/log/hestia# ls -l /etc/nginx/conf.d/domains/hestiacp.chekigood-webpanel.ru.conf
lrwxrwxrwx 1 root root 62 Sep 11 15:29 /etc/nginx/conf.d/domains/hestiacp.chekigood-webpanel.ru.conf -> /home/admin/conf/web/hestiacp.chekigood-webpanel.ru/nginx.conf
root@hestiacp:/var/log/hestia# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@hestiacp:/var/log/hestia# systemctl restart nginx
root@hestiacp:/var/log/hestia# grep 'acme-challenge' /var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.*
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:23.178.112.109 - - [11/Sep/2024:15:30:39 +0200] "GET /.well-known/acme-challenge/olr-yLWmKdRZBRWffFK_WZkSNirZonm2YpKAACvnO84 HTTP/1.0" 404 3252 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:23.178.112.212 - - [11/Sep/2024:15:43:39 +0200] "GET /.well-known/acme-challenge/r5ny_FS80uxT8QRZeEEaIlWmDlbcm8LX1bIVyVdAdZ0 HTTP/1.0" 404 3252 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:23.178.112.212 - - [11/Sep/2024:15:47:11 +0200] "GET /.well-known/acme-challenge/Mqx4OK8Sb5YW87vJ8Yt93JrdF5rrMgWOofRdFgPbDuo HTTP/1.0" 404 3252 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:23.178.112.105 - - [12/Sep/2024:08:21:56 +0200] "GET /.well-known/acme-challenge/iKuccthMzrVsXGlpnAKRBRls7vEAiMF7dOGoBM5gOJU HTTP/1.0" 404 3252 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:23.178.112.214 - - [12/Sep/2024:08:26:46 +0200] "GET /.well-known/acme-challenge/yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A HTTP/1.0" 404 3252 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:23.178.112.213 - - [12/Sep/2024:08:30:12 +0200] "GET /.well-known/acme-challenge/bQrW5Wj7DK-OQRAGVHOD4i6yyLDZY-ksXqRlge2rkzY HTTP/1.0" 404 3252 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:88.7.237.187 - - [12/Sep/2024:08:37:04 +0200] "GET /.well-known/acme-challenge/test HTTP/1.0" 404 3252 "-" "curl/7.81.0"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:88.7.237.187 - - [12/Sep/2024:08:37:27 +0200] "HEAD /.well-known/acme-challenge/test HTTP/1.0" 404 286 "-" "curl/7.81.0"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:88.7.237.187 - - [12/Sep/2024:08:38:42 +0200] "GET /.well-known/acme-challenge/test HTTP/1.0" 404 3252 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:88.7.237.187 - - [12/Sep/2024:08:38:43 +0200] "GET /favicon.ico HTTP/1.0" 404 3252 "http://hestiacp.chekigood-webpanel.ru/.well-known/acme-challenge/test" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:23.178.112.100 - - [12/Sep/2024:08:40:00 +0200] "GET /.well-known/acme-challenge/lBif1_wS95E6gyrWkrk_f50aPKzhoyZLFANizgbRSuY HTTP/1.0" 404 3252 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:176.9.3.52 - - [12/Sep/2024:08:42:16 +0200] "GET /.well-known/acme-challenge/yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A HTTP/1.0" 404 3252 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Edg/128.0.0.0"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:176.9.3.52 - - [12/Sep/2024:08:42:16 +0200] "GET /favicon.ico HTTP/1.0" 404 3252 "http://hestiacp.chekigood-webpanel.ru/.well-known/acme-challenge/yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Edg/128.0.0.0"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:116.203.78.202 - - [12/Sep/2024:08:45:05 +0200] "GET /.well-known/acme-challenge/yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A HTTP/1.0" 404 3252 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:116.203.78.202 - - [12/Sep/2024:08:48:45 +0200] "GET /.well-known/acme-challenge/yQiCpf367J_3xhr_8omRI45OyDkMHCqJQva-XNdmL-A HTTP/1.0" 404 3252 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:88.7.237.187 - - [12/Sep/2024:08:50:45 +0200] "GET /.well-known/acme-challenge/test HTTP/1.0" 404 3252 "-" "curl/7.81.0"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:82.165.205.21 - - [12/Sep/2024:08:50:52 +0200] "GET /.well-known/acme-challenge/test HTTP/1.0" 404 3252 "-" "curl/7.88.1"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:88.7.237.187 - - [12/Sep/2024:08:55:20 +0200] "GET /.well-known/acme-challenge/test HTTP/1.0" 404 3252 "-" "curl/7.81.0"
/var/log/apache2/domains/hestiacp.chekigood-webpanel.ru.log:88.7.237.187 - - [12/Sep/2024:08:55:28 +0200] "HEAD /.well-known/acme-challenge/test HTTP/1.0" 404 286 "-" "curl/7.81.0"

All looks good but you server is showing 404 error.

Check if you have any other server_name directive configured as hestiacp.chekigood-webpanel.ru

grep -Ri 'server_name.*\shestiacp.chekigood-webpanel.ru' /etc/nginx

I don’t know if you misspelled ‘shestiacp.’ so I tried it both ways:

root@hestiacp:/var/log/hestia# grep -Ri 'server_name.*\hestiacp.chekigood-webpanel.ru' /etc/nginx
/etc/nginx/conf.d/domains/hestiacp.chekigood-webpanel.ru.conf:  server_name hestiacp.chekigood-webpanel.ru ;
root@hestiacp:/var/log/hestia# grep -Ri 'server_name.*\shestiacp.chekigood-webpanel.ru' /etc/nginx
/etc/nginx/conf.d/domains/hestiacp.chekigood-webpanel.ru.conf:  server_name hestiacp.chekigood-webpanel.ru ;

In regular expressions, \s matches whitespace (spaces, tabs and new lines).

I see no problem in your conf so no idea what’s going on. Is there any kind of proxy in front of your server?

I’m having a similar issue, in my /etc/nginx/conf.d/domains/<domain name> however I did see the following:

location ~ /\.(?!well-known\/|file) {
                deny all;
                return 404;
        }

And when checking the /home/<user>/web/<url>/public_html/.well-known/acme-challenge there are no recent files.

That means that the regular expression will match and will deny access to all files/dirs starting by . (dot) except those that are followed by well-known/

Hestia doesn’t create those dirs nor files, instead it uses an nginx conf like this:

$ cat /home/YourUser/conf/web/YourDomain/nginx.conf_letsencrypt
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
    default_type text/plain;
    return 200 "$1.nAhuiBNBhiChPdAZD-9_cqYJLRDb7t1BLtdaEiZ4zGs";
}

OK, is there another command similar to v-add-letsencrypt-domain that would just do the given URL without looking for the mail domain for it? In my case trying to add an SSL to a subdomain.

I think it would be better if you open a new topic an explain in detail what the problem is.

I see you finally got the certificate for your domain :+1:

Did you find the root cause?

Wrote to my server hoster’s tech support. Gave them access, but so far they haven’t answered me what exactly they did.

As soon as I find out the solution to this problem, I will post here.

I found the answer! It’s all about nginx open file limit. I found an error in the nginx logs that the open file limit was exceeded coinciding with my attempts to release a certificate using LE.

Solution:

echo "DefaultLimitNOFILE=102400:524288" >> /etc/systemd/system.conf
echo "*           hard    nofile     65535" >> /etc/security/limits.conf
echo "*           soft    nofile      18192"  >> /etc/security/limits.conf

we add to the [service] section of the /lib/systemd/system/nginx.service file
LimitNOFILE=102400:524288

systemctl daemon-reload
systemctl restart nginx

Please add to the documentation a description of this problem and a solution! I’m sure a lot of people have encountered this problem. Thanks! :slight_smile:

2 Likes

I had the Let’t Encrypt 403 error after setting up my control panel. I found that I had to add an A record to the main domain for the control panel subdomain. I did it right inside the control panel under my main user, but you could also do it like this:

v-add-dns-record admin <yourdomain.com> A 162.227.73.112

For example:
v-add-dns-record admin example.com hestiacp A 162.227.73.112

After you add the DNS record then run:
v-add-letsencrypt-host

After that the problem was fixed for me.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.