When adding SSL to a web domain I get an error Error: Let’s Encrypt finalize bad status 403 (domain)
Debian
When adding SSL to a web domain I get an error Error: Let’s Encrypt finalize bad status 403 (domain)
Debian
Take a look at this fix:
I have issues adding SSL to a new domain and not when renewing them.
Doesn’t matter whether you are adding a new certificate to a new domain or it’s a renewal, use the fix.
ok, did
sudo -i
cd /usr/local/hestia/bin/
mv v-add-letsencrypt-domain v-add-letsencrypt-domain.original
wget https://raw.githubusercontent.com/hestiacp/hestiacp/64210fd8ccee8718a861856e99f9965e40ff3932/bin/v-add-letsencrypt-domain
chmod +x v-add-letsencrypt-domain
Now I have:
Error: Let’s Encrypt validation status 400 (mail.lsoseo.co). Details: 403:“144.76.227.134: Invalid response from http://mail.lsoseo.co/.well-known/acme-challenge/sUHHaU7NhB_msmW9neSF4guMzibOhEFyyXcAFYdRmGQ: 404”
But are you trying to issue a certificate to the WEB domain mail.lsoseo.co
or are you trying to issue a certificate for the MAIL domain lsoseo.co
?
I am trying to add SSL to Both and both are having issues.
Earlier It was giving an error “Let’s Encrypt finalize bad status 403 (domain)”
Now it is giving the error I just mentioned.
Regarding the web domain lsoseo.co
, Hestia adds automatically the alias www
and will request a certificate for the base domain lsoseo.co
and also for the subdomain www.lsoseo.co
but you don’t have an A record for the www
subdomain so it will fail.
Regarding the mail domain, show the output of Let’s Encrypt log that is here /var/log/hestia/LE-YourUser-mail.lsoseo.co.log
(replace YourUser by the actual user).
When I restart my server I am able to SSL to domains. Then after 2 or 3 cert I start having sisues.
Here’s the log file of one of the domains I am having issues with now:
=============================
Date Time: 2025-01-08 13:59:16
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: mcowtan
domain: mail.lsoseo.com
- aliases: webmail.lsoseo.com
- proto: http-01
- wildcard:
==[Step 1]==
- status: 200
- nonce: LPSR-4-s19WGW8tUpbkO6G0Kbxi-pXYwNOev0kpqx8LPCqNyD3o
- answer: HTTP/2 200
server: nginx
date: Wed, 08 Jan 2025 08:29:16 GMT
content-type: application/json
content-length: 746
cache-control: public, max-age=0, no-cache
replay-nonce: LPSR-4-s19WGW8tUpbkO6G0Kbxi-pXYwNOev0kpqx8LPCqNyD3o
x-frame-options: DENY
strict-transport-security: max-age=604800
==[API call]==
exit status: 0
==[Step 2]==
- status: 201
- nonce: LPSR-4-sMeIc-4pkir6aYAlLKP_oIjYbIrbqiJCRedV79sJy4OM
- authz: https://acme-v02.api.letsencrypt.org/acme/authz/2057392477/457429201935
https://acme-v02.api.letsencrypt.org/acme/authz/2057392477/457429201945
- finalize: https://acme-v02.api.letsencrypt.org/acme/finalize/2057392477/342101836965
- payload: {"identifiers":[{"type":"dns","value":"mail.lsoseo.com"},{"type":"dns","value":"webmail.lsoseo.com"}]}
- answer: HTTP/2 201
server: nginx
date: Wed, 08 Jan 2025 08:29:17 GMT
content-type: application/json
content-length: 498
boulder-requester: 2057392477
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/2057392477/342101836965
replay-nonce: LPSR-4-sMeIc-4pkir6aYAlLKP_oIjYbIrbqiJCRedV79sJy4OM
x-frame-options: DENY
strict-transport-security: max-age=604800
{
"status": "pending",
"expires": "2025-01-15T08:29:17Z",
"identifiers": [
{
"type": "dns",
"value": "mail.lsoseo.com"
},
{
"type": "dns",
"value": "webmail.lsoseo.com"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz/2057392477/457429201935",
"https://acme-v02.api.letsencrypt.org/acme/authz/2057392477/457429201945"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/2057392477/342101836965"
}
order: https://acme-v02.api.letsencrypt.org/acme/order/2057392477/342101836965
==[API call]==
exit status: 0
==[Step 3]==
- status: 200
- nonce: 1QDIi77b_vPzd6kWIbg-vfGPzb3SYJBT67DbFZb22GAFDJjLYf0
- url: https://acme-v02.api.letsencrypt.org/acme/chall/2057392477/457429201935/N7FYkA
- token: alYsm2SOnql-mru96cpwBzqnWrSD_tv3_p9F1ZRYZt0
- answer: HTTP/2 200
server: nginx
date: Wed, 08 Jan 2025 08:29:17 GMT
content-type: application/json
content-length: 823
boulder-requester: 2057392477
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 1QDIi77b_vPzd6kWIbg-vfGPzb3SYJBT67DbFZb22GAFDJjLYf0
x-frame-options: DENY
strict-transport-security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "mail.lsoseo.com"
},
"status": "pending",
"expires": "2025-01-15T08:29:17Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2057392477/457429201935/N7FYkA",
"status": "pending",
"token": "alYsm2SOnql-mru96cpwBzqnWrSD_tv3_p9F1ZRYZt0"
},
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2057392477/457429201935/HHo4Ow",
"status": "pending",
"token": "alYsm2SOnql-mru96cpwBzqnWrSD_tv3_p9F1ZRYZt0"
},
{
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2057392477/457429201935/cFs4og",
"status": "pending",
"token": "alYsm2SOnql-mru96cpwBzqnWrSD_tv3_p9F1ZRYZt0"
}
]
}
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[Step 5]==
- status: 400
- url: https://acme-v02.api.letsencrypt.org/acme/chall/2057392477/457429201935/N7FYkA
- nonce: 1QDIi77bKpaGjnXrQzyEsqhM5MON_ITteet6D2TDFEXT8oa_mH4
- validation:
- details: Unable to update challenge :: authorization must be pending
- answer: HTTP/2 400
server: nginx
date: Wed, 08 Jan 2025 08:30:36 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 2057392477
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 1QDIi77bKpaGjnXrQzyEsqhM5MON_ITteet6D2TDFEXT8oa_mH4
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Unable to update challenge :: authorization must be pending",
"status": 400
}
==[Debug information Step 5]==
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2057392477/457429201935/N7FYkA",
"status": "invalid",
"validated": "2025-01-08T08:29:23Z",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "144.76.227.134: Invalid response from http://mail.lsoseo.com/.well-known/acme-challenge/alYsm2SOnql-mru96cpwBzqnWrSD_tv3_p9F1ZRYZt0: 404",
"status": 403
},
"token": "alYsm2SOnql-mru96cpwBzqnWrSD_tv3_p9F1ZRYZt0",
"validationRecord": [
{
"url": "http://mail.lsoseo.com/.well-known/acme-challenge/alYsm2SOnql-mru96cpwBzqnWrSD_tv3_p9F1ZRYZt0",
"hostname": "mail.lsoseo.com",
"port": "80",
"addressesResolved": [
"144.76.227.134"
],
"addressUsed": "144.76.227.134"
}
]
}
==[Abort Step 5]==
=> Wrong status
Show the output of this command:
ls -la /home/*/conf/mail/lsoseo.co/
~ # ls -la /home/*/conf/mail/lsoseo.co/
total 56
drwxrwx--x 3 Debian-exim mail 4096 Jan 8 13:56 .
drwxr-xr-x 17 root root 4096 Jan 6 23:57 ..
-rw-rw---- 1 Debian-exim mail 157 Jan 8 13:43 accounts
-rw-rw---- 1 Debian-exim mail 0 Jan 8 13:43 aliases
-rw-rw---- 1 Debian-exim mail 0 Jan 8 13:43 antispam
-rw-rw---- 1 Debian-exim mail 0 Jan 8 13:43 antivirus
-rw-r----- 1 root MyUser 1365 Jan 8 13:55 apache2.conf
-rw-r----- 1 root MyUser 1500 Jan 8 13:56 apache2.ssl.conf
-rw-rw---- 1 Debian-exim mail 916 Jan 8 13:43 dkim.pem
-rw-rw---- 1 Debian-exim mail 0 Jan 8 13:43 fwd_only
-rw-rw---- 1 Debian-exim mail 15 Jan 8 13:43 ip
-rw-rw---- 1 Debian-exim mail 80 Jan 8 13:43 limits
-rw-r----- 1 root MyUser 1073 Jan 8 13:55 nginx.conf
-rw-rw---- 1 Debian-exim mail 159 Jan 8 13:55 nginx.conf_letsencrypt
-rw-r--r-- 1 root root 45 Jan 8 13:56 nginx.forcessl.conf
-rw-r----- 1 root MyUser 1384 Jan 8 13:56 nginx.ssl.conf
lrwxrwxrwx 1 Debian-exim mail 56 Jan 8 13:37 nginx.ssl.conf_letsencrypt -> /home/MyUser/conf/mail/lsoseo.co/nginx.conf_letsencrypt
-rw-rw---- 1 dovecot mail 437 Jan 8 13:43 passwd
drwxr-x--- 2 root mail 4096 Jan 8 13:56 ssl
Execute these commands to issue the certificate for the mail domain and show the output (replace YourUser
by the actual user):
sudo -i
v-add-letsencrypt-domain YourUser lsoseo.co '' yes
v-add-letsencrypt-domain MyUser lsoseo.co '' yes
grep: /usr/local/hestia/data/users//cron.conf: No such file or directory
I see the certificate has been issued.
❯ ssl_check mail.lsoseo.co
2025-01-08 09:54 - Checking mail.lsoseo.co on port 443
issuer=C = US, O = Let's Encrypt, CN = R10
subject=CN = mail.lsoseo.co
notBefore=Jan 8 07:47:46 2025 GMT
notAfter=Apr 8 07:47:45 2025 GMT
SANs: mail.lsoseo.co,webmail.lsoseo.co
Ok, so this is strange.
I restarted my server again and I was able to issue the certificate using the dashboard.
So I was able to issue 3 cert to 3 domains and have started having the same issue with some another domain.
Once I restart the server, certificates seem to work fine and then it stops working once I add the certificates to 2 or 3 domains.
Restarting nginx seems to fix the issues.
systemctl restart nginx but I start having issue again after I issue certificates to some domains.
Error: Let’s Encrypt validation status 400
Hello, I encountered the same difficulty; from your correspondence I didn’t really understand where to look. This is how I have it
=============================
Date Time: 2025-01-13 23:09:25
WEB_SYSTEM: nginx
PROXY_SYSTEM:
user: user
domain: quantumtransition.angellive.ru
- aliases:
- proto: http-01
- wildcard:
==[Step 1]==
- status: 200
- nonce: o6qEBv53Lh13TkSNTmJzX6Yu_b-iovGi4yxU-aj_Rx2xwyP_1ZA
- answer: HTTP/2 200
server: nginx
date: Mon, 13 Jan 2025 20:09:25 GMT
content-type: application/json
content-length: 828
cache-control: public, max-age=0, no-cache
replay-nonce: o6qEBv53Lh13TkSNTmJzX6Yu_b-iovGi4yxU-aj_Rx2xwyP_1ZA
x-frame-options: DENY
strict-transport-security: max-age=604800
==[API call]==
exit status: 0
==[Step 2]==
- status: 201
- nonce: 2NJzUBzX7F33n5e2_docq2p25wJ0KCa_8A8GVZ11x0ovgEvCkbc
- authz: https://acme-v02.api.letsencrypt.org/acme/authz/1311609566/460202778075
- finalize: https://acme-v02.api.letsencrypt.org/acme/finalize/1311609566/344039254935
- payload: {"identifiers":[{"type":"dns","value":"quantumtransition.angellive.ru"}]}
- answer: HTTP/2 201
server: nginx
date: Mon, 13 Jan 2025 20:09:26 GMT
content-type: application/json
content-length: 364
boulder-requester: 1311609566
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/1311609566/344039254935
replay-nonce: 2NJzUBzX7F33n5e2_docq2p25wJ0KCa_8A8GVZ11x0ovgEvCkbc
x-frame-options: DENY
strict-transport-security: max-age=604800
{
"status": "pending",
"expires": "2025-01-20T20:09:26Z",
"identifiers": [
{
"type": "dns",
"value": "quantumtransition.angellive.ru"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz/1311609566/460202778075"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1311609566/344039254935"
}
order: https://acme-v02.api.letsencrypt.org/acme/order/1311609566/344039254935
==[API call]==
exit status: 0
==[Step 3]==
- status: 200
- nonce: 5VsalEMJ5jkPjR1dc_vUiLZqZq1oDOeRQRuaW8NuPB_k9J_NyrQ
- url: https://acme-v02.api.letsencrypt.org/acme/chall/1311609566/460202778075/8Xpt6g
- token: S43gmn84KTMgimsUwZtTCGheLoBYIRcGnPBS7TvV3UU
- answer: HTTP/2 200
server: nginx
date: Mon, 13 Jan 2025 20:09:27 GMT
content-type: application/json
content-length: 838
boulder-requester: 1311609566
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 5VsalEMJ5jkPjR1dc_vUiLZqZq1oDOeRQRuaW8NuPB_k9J_NyrQ
x-frame-options: DENY
strict-transport-security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "quantumtransition.angellive.ru"
},
"status": "pending",
"expires": "2025-01-20T20:09:26Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1311609566/460202778075/8Xpt6g",
"status": "pending",
"token": "S43gmn84KTMgimsUwZtTCGheLoBYIRcGnPBS7TvV3UU"
},
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1311609566/460202778075/rGJVtQ",
"status": "pending",
"token": "S43gmn84KTMgimsUwZtTCGheLoBYIRcGnPBS7TvV3UU"
},
{
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1311609566/460202778075/FhiPCw",
"status": "pending",
"token": "S43gmn84KTMgimsUwZtTCGheLoBYIRcGnPBS7TvV3UU"
}
]
}
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 23
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[API call]==
exit status: 0
==[Step 5]==
- status: 400
- url: https://acme-v02.api.letsencrypt.org/acme/chall/1311609566/460202778075/8Xpt6g
- nonce: o6qEBv53_wTLKAHf57ILHZSFKpiid4S2dpUQB87rjTXxUtQpIQ4
- validation:
- details: Unable to update challenge :: authorization must be pending
- answer: HTTP/2 400
server: nginx
date: Mon, 13 Jan 2025 20:10:51 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 1311609566
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: o6qEBv53_wTLKAHf57ILHZSFKpiid4S2dpUQB87rjTXxUtQpIQ4
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Unable to update challenge :: authorization must be pending",
"status": 400
}
==[Debug information Step 5]==
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1311609566/460202778075/8Xpt6g",
"status": "invalid",
"validated": "2025-01-13T20:09:33Z",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "45.146.165.144: Invalid response from http://quantumtransition.angellive.ru/.well-known/acme-challenge/S43gmn84KTMgimsUwZtTCGheLoBYIRcGnPBS7TvV3UU: 404",
"status": 403
},
"token": "S43gmn84KTMgimsUwZtTCGheLoBYIRcGnPBS7TvV3UU",
"validationRecord": [
{
"url": "http://quantumtransition.angellive.ru/.well-known/acme-challenge/S43gmn84KTMgimsUwZtTCGheLoBYIRcGnPBS7TvV3UU",
"hostname": "quantumtransition.angellive.ru",
"port": "80",
"addressesResolved": [
"45.146.165.144"
],
"addressUsed": "45.146.165.144"
}
]
}
==[Abort Step 5]==
=> Wrong status
Where else can I look? It’s strange how I wrote the certificate; it hasn’t been updated for a long time, but is it issued normally on another site/
/var/log/hestia/error.log
2025-01-13 05:04:30 v-add-letsencrypt-domain 'user' 'quantumtransition.angellive.ru' '' [Error 15]
2025-01-13 05:04:30 v-update-letsencrypt-ssl quantumtransition.angellive.ru Error: Let's Encrypt validation status 400 (quantumtransition.angellive.ru). Details: 403:"45.146.165.144: Invalid response from http://quantumtransition.angellive.ru/.well-known/acme-challenge/gT-x1QT8Vu6uSSjHUHkCNR6-LzdWittGxuhveYYF1J8: 404" [Error 2]
2025-01-13 22:52:41 v-add-letsencrypt-domain 'user' 'quantumtransition.angellive.ru' [Error 15]
2025-01-13 23:06:49 v-add-letsencrypt-domain 'user' 'quantumtransition.angellive.ru' [Error 15]
2025-01-13 23:10:52 v-add-letsencrypt-domain 'user' 'quantumtransition.angellive.ru' [Error 15]
I tried to add the alias www.quantumtransition.angellive.ru, it didn’t help)
Error: Let's Encrypt validation status 400 (quantumtransition.angellive.ru). Details: 403:"45.146.165.144: Invalid response from http://quantumtransition.angellive.ru/.well-known/acme-challenge/lYecFOOlVD-iSu5rNPAISDyv8Ju3IfrHlp_RlxL2xek: 404"
and after the error, as always, the checkbox fell off, I checked all the configs, they are indistinguishable from the site on which everything is released
Installed v1.8.12, the certificate was issued. As I see in Ubuntu 22.04 and version 1.82 there are no errors, I checked it on 2 domains. The only thing I keep running into is
2025/01/13 22:49:24 [error] 881#0: *1 FastCGI sent in stderr: "PHP message: PHP Warning: Undefined array key "v_rule" in /usr/local/hestia/web/edit/firewall/index.php on line 123" while reading response header from upstream, client: 213.108.6.232, server: _, request: "POST /edit/firewall/?rule=4&token=098f0603183fb415084f16282f657d28 HTTP/2.0", upstream: "fastcgi://unix:/run/hestia-php.sock:", host: "hestia.angellive.ru:2083", referrer: "https://hestia.angellive.ru:2083/edit/firewall/?rule=4&token=098f0603183fb415084f16282f657d28"
2025/01/14 02:20:46 [error] 930#0: *5 FastCGI sent in stderr: "PHP message: PHP Warning: Undefined array key "user" in /usr/local/hestia/web/templates/pages/list_access_keys.php on line 5" while reading upstream, client: 213.108.6.232, server: _, request: "GET /list/access-key/ HTTP/2.0", upstream: "fastcgi://unix:/run/hestia-php.sock:", host: "hestia.angellive.ru:2083", referrer: "https://hestia.angellive.ru:2083/edit/user/?user=Wm8kzUA53c8yteD&token=098f0603183fb415084f16282f657d28"
2025/01/14 02:22:20 [error] 930#0: *24 FastCGI sent in stderr: "PHP message: PHP Warning: Undefined array key "user" in /usr/local/hestia/web/templates/pages/list_access_keys.php on line 5" while reading upstream, client: 213.108.6.232, server: _, request: "GET /list/access-key/ HTTP/2.0", upstream: "fastcgi://unix:/run/hestia-php.sock:", host: "hestia.angellive.ru:2083", referrer: "https://hestia.angellive.ru:2083/add/access-key/"