Error: Let’s Encrypt nonce request status (your.domain.name)

I am getting an error in Hestia when trying to add SSL Certificate

Error: Let’s Encrypt nonce request status (your.domain.name)

Show the output of this command:

curl --user-agent "HestiaCP" -s -I "https://acme-v02.api.letsencrypt.org/directory"

I’m hanging on this thread, as I have the same incident as the title Specifically, the situation arises when I try to generate the certificate for a subdomain, considering that the main domain already has one but the latter does not have the same IP as the subdomain. For example: the domain testing.io has the IP 10.10.10.10.10 and the subdomain duo.testing.io has the IP 20.20.20.20.20. Each IP is a different VPS server, with Hestia running.

The output of the curl command on the main domain server delivers the following:

HTTP/2 200 
server: nginx
date: Thu, 27 Mar 2025 21:55:50 GMT
content-type: application/json
content-length: 1042
cache-control: public, max-age=0, no-cache
replay-nonce: yks4JBOUR_VjlSV_99ixDwdSsIRWBftrhFcrXVr5B74T5Wf0fAA
x-frame-options: DENY
strict-transport-security: max-age=604800

… while the output of the curl command on the subdomain server delivers the following:

HTTP/2 200 
server: nginx
date: Thu, 27 Mar 2025 21:49:05 GMT
content-type: application/json
content-length: 1042
cache-control: public, max-age=0, no-cache
replay-nonce: pwlyUh7gJz0ehSoDY-Xl5Fyobak0m8UXbQubi_OlNj8b5_ofn_Y
x-frame-options: DENY
strict-transport-security: max-age=604800

For the next time, if you don’t want to share your actual domain, use these domains; example.com, example.net or example.org or you could also use top level domains .test, .example, .invalid or .localhost

More info here:
https://www.iana.org/help/example-domains

The same applies to public IPs; you should use one of these ranges (they are reserved for documentation purposes):

192.0.2.0/24
198.51.100.0/24 
203.0.113.0/24
233.252.0.0/24 

Regarding the certificate issue, check the log file that should be here:

/var/log/hestia/LE-YourUser-YourDomain.log
=============================
Date Time: 2025-03-27 19:51:49
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: username
domain: duo.example.com


- aliases: 
- proto: http-01
- wildcard: 


==[Step 1]==
- status: 
- nonce: 
- answer:

That’s all the log?

Yes… all

This is the part where it is failing:

# Requesting nonce / STEP 1
answer=$(curl --user-agent "HestiaCP" -s -I "$LE_API/directory")
nonce=$(echo "$answer" | grep -i nonce | cut -f2 -d \  | tr -d '\r\n')
status=$(echo "$answer" | grep HTTP/ | tail -n1 | cut -f 2 -d ' ')

And seems the first curl is not returning data…

Try to execute the curl command again:

curl --user-agent "HestiaCP" -s -I "https://acme-v02.api.letsencrypt.org/directory" | grep -i nonce | cut -f2 -d \  | tr -d '\r\n'

respuesta de comando curl:

yks4JBOUlnAQAs0t_RINJLi1LjEr-HuCnvUJvLvsTiBmkc0Ch8U

I would try to issue the certificate again, if doesn’t work, check again the log.

It is very crazy what happens, because in an instant it throws the error message of the topic, but after a moment when trying to generate the certificate again it throws a 400 error. Apparently something has to do with IPv6 (I don’t have it configured in Cloudflare) and port 80.
This is the log of /var/log/hestia/LE-wdmascostas-webdemascotas.cl.log

==[Step 5]==

- status: 400

- url: https://acme-v02.api.letsencrypt.org/acme/chall/2313911107/498404586647/M-4_Ag

- nonce: hZC-gpDzQzehVS9Ou6ZV5fGpuPxlV0toT-S9qmrzpMKlUDqbdtw

- validation:

- details: Unable to update challenge :: authorization must be pending

- answer: HTTP/2 400

server: nginx

date: Mon, 31 Mar 2025 19:18:47 GMT

content-type: application/problem+json

content-length: 144

boulder-requester: 2313911107

cache-control: public, max-age=0, no-cache

link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"

replay-nonce: hZC-gpDzQzehVS9Ou6ZV5fGpuPxlV0toT-S9qmrzpMKlUDqbdtw


{

  "type": "urn:ietf:params:acme:error:malformed",

  "detail": "Unable to update challenge :: authorization must be pending",

  "status": 400

}



==[Debug information Step 5]==

{

  "type": "http-01",

  "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2313911107/498404586647/M-4_Ag",

  "status": "invalid",

  "validated": "2025-03-31T19:17:33Z",

  "error": {

    "type": "urn:ietf:params:acme:error:unauthorized",

    "detail": "2606:4700:3036::6815:1907: Invalid response from http://webdemascotas.cl/.well-known/acme-challenge/yFlh_pS4L3Vs4taEddC6Zk8Lf26t_mRqIcIXLeI5OIw: 404",

    "status": 403

  },

  "token": "yFlh_pS4L3Vs4taEddC6Zk8Lf26t_mRqIcIXLeI5OIw",

  "validationRecord": [

    {

      "url": "http://webdemascotas.cl/.well-known/acme-challenge/yFlh_pS4L3Vs4taEddC6Zk8Lf26t_mRqIcIXLeI5OIw",

      "hostname": "webdemascotas.cl",

      "port": "80",

      "addressesResolved": [

        "104.21.25.7",

        "172.67.221.136",

        "2606:4700:3036::6815:1907",

        "2606:4700:3037::ac43:dd88"

      ],

      "addressUsed": "2606:4700:3036::6815:1907"

    }

  ]

}



==[Abort Step 5]==

=> Wrong status 

The error is independent of the domain, I’m sure of that.

The error is a 404 trying to validate the domain:

"2606:4700:3036::6815:1907: Invalid response from http://webdemascotas.cl/.well-known/acme-challenge/yFlh_pS4L3Vs4taEddC6Zk8Lf26t_mRqIcIXLeI5OIw: 404"

I’ve no idea how you configured Cloudflare’s Proxy but maybe you should use an origin certificate provided by Cloudflare instead of trying to issue a certificate from Let’s Encrypt.

On the same server I have 2 other domains correctly configured with their certificates issued from the control panel no problem.
Now, mentioning your recommendation, I would have used this alternative before but I couldn’t find the “SSL Certificate Authority / Intermediate” that I was missing, after reading the Hestia documentation I found (because in the control panel there is no mention of it) where to get the “SSL Certificate Authority / Intermediate”, I applied it and it worked. I applied it and it worked.
I don’t see anything in Cloudflare