I am getting an error in Hestia when trying to add SSL Certificate
Error: Let’s Encrypt nonce request status (your.domain.name)
Show the output of this command:
curl --user-agent "HestiaCP" -s -I "https://acme-v02.api.letsencrypt.org/directory"
I’m hanging on this thread, as I have the same incident as the title Specifically, the situation arises when I try to generate the certificate for a subdomain, considering that the main domain already has one but the latter does not have the same IP as the subdomain. For example: the domain testing.io has the IP 10.10.10.10.10 and the subdomain duo.testing.io has the IP 20.20.20.20.20. Each IP is a different VPS server, with Hestia running.
The output of the curl command on the main domain server delivers the following:
HTTP/2 200
server: nginx
date: Thu, 27 Mar 2025 21:55:50 GMT
content-type: application/json
content-length: 1042
cache-control: public, max-age=0, no-cache
replay-nonce: yks4JBOUR_VjlSV_99ixDwdSsIRWBftrhFcrXVr5B74T5Wf0fAA
x-frame-options: DENY
strict-transport-security: max-age=604800
… while the output of the curl command on the subdomain server delivers the following:
HTTP/2 200
server: nginx
date: Thu, 27 Mar 2025 21:49:05 GMT
content-type: application/json
content-length: 1042
cache-control: public, max-age=0, no-cache
replay-nonce: pwlyUh7gJz0ehSoDY-Xl5Fyobak0m8UXbQubi_OlNj8b5_ofn_Y
x-frame-options: DENY
strict-transport-security: max-age=604800
For the next time, if you don’t want to share your actual domain, use these domains; example.com, example.net or example.org or you could also use top level domains .test, .example, .invalid or .localhost
More info here:
https://www.iana.org/help/example-domains
The same applies to public IPs; you should use one of these ranges (they are reserved for documentation purposes):
192.0.2.0/24
198.51.100.0/24
203.0.113.0/24
233.252.0.0/24
Regarding the certificate issue, check the log file that should be here:
/var/log/hestia/LE-YourUser-YourDomain.log
1 Like
=============================
Date Time: 2025-03-27 19:51:49
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: username
domain: duo.example.com
- aliases:
- proto: http-01
- wildcard:
==[Step 1]==
- status:
- nonce:
- answer:
That’s all the log?
Yes… all
This is the part where it is failing:
# Requesting nonce / STEP 1
answer=$(curl --user-agent "HestiaCP" -s -I "$LE_API/directory")
nonce=$(echo "$answer" | grep -i nonce | cut -f2 -d \ | tr -d '\r\n')
status=$(echo "$answer" | grep HTTP/ | tail -n1 | cut -f 2 -d ' ')
And seems the first curl is not returning data…
Try to execute the curl command again:
curl --user-agent "HestiaCP" -s -I "https://acme-v02.api.letsencrypt.org/directory" | grep -i nonce | cut -f2 -d \ | tr -d '\r\n'
1 Like
respuesta de comando curl:
yks4JBOUlnAQAs0t_RINJLi1LjEr-HuCnvUJvLvsTiBmkc0Ch8U
I would try to issue the certificate again, if doesn’t work, check again the log.
1 Like
It is very crazy what happens, because in an instant it throws the error message of the topic, but after a moment when trying to generate the certificate again it throws a 400 error. Apparently something has to do with IPv6 (I don’t have it configured in Cloudflare) and port 80.
This is the log of /var/log/hestia/LE-wdmascostas-webdemascotas.cl.log
==[Step 5]==
- status: 400
- url: https://acme-v02.api.letsencrypt.org/acme/chall/2313911107/498404586647/M-4_Ag
- nonce: hZC-gpDzQzehVS9Ou6ZV5fGpuPxlV0toT-S9qmrzpMKlUDqbdtw
- validation:
- details: Unable to update challenge :: authorization must be pending
- answer: HTTP/2 400
server: nginx
date: Mon, 31 Mar 2025 19:18:47 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 2313911107
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: hZC-gpDzQzehVS9Ou6ZV5fGpuPxlV0toT-S9qmrzpMKlUDqbdtw
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Unable to update challenge :: authorization must be pending",
"status": 400
}
==[Debug information Step 5]==
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2313911107/498404586647/M-4_Ag",
"status": "invalid",
"validated": "2025-03-31T19:17:33Z",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "2606:4700:3036::6815:1907: Invalid response from http://webdemascotas.cl/.well-known/acme-challenge/yFlh_pS4L3Vs4taEddC6Zk8Lf26t_mRqIcIXLeI5OIw: 404",
"status": 403
},
"token": "yFlh_pS4L3Vs4taEddC6Zk8Lf26t_mRqIcIXLeI5OIw",
"validationRecord": [
{
"url": "http://webdemascotas.cl/.well-known/acme-challenge/yFlh_pS4L3Vs4taEddC6Zk8Lf26t_mRqIcIXLeI5OIw",
"hostname": "webdemascotas.cl",
"port": "80",
"addressesResolved": [
"104.21.25.7",
"172.67.221.136",
"2606:4700:3036::6815:1907",
"2606:4700:3037::ac43:dd88"
],
"addressUsed": "2606:4700:3036::6815:1907"
}
]
}
==[Abort Step 5]==
=> Wrong status
The error is independent of the domain, I’m sure of that.
The error is a 404 trying to validate the domain:
"2606:4700:3036::6815:1907: Invalid response from http://webdemascotas.cl/.well-known/acme-challenge/yFlh_pS4L3Vs4taEddC6Zk8Lf26t_mRqIcIXLeI5OIw: 404"
I’ve no idea how you configured Cloudflare’s Proxy but maybe you should use an origin certificate provided by Cloudflare instead of trying to issue a certificate from Let’s Encrypt.
On the same server I have 2 other domains correctly configured with their certificates issued from the control panel no problem.
Now, mentioning your recommendation, I would have used this alternative before but I couldn’t find the “SSL Certificate Authority / Intermediate” that I was missing, after reading the Hestia documentation I found (because in the control panel there is no mention of it) where to get the “SSL Certificate Authority / Intermediate”, I applied it and it worked. I applied it and it worked.
I don’t see anything in Cloudflare
1 Like