Error: Let's Encrypt finalize bad status 403

floown · August 14, 2024, 8:58am

Hello,
I have this mail this morning:

Title: Cron <admin@machine> sudo /usr/local/hestia/bin/v-update-letsencrypt-ssl
Body: Error: Let's Encrypt finalize bad status 403 (mail.mydomain.com)

So I try manualy:

# sudo /usr/local/hestia/bin/v-update-letsencrypt-ssl
Error: Let's Encrypt acme/authz bad status  (mail.mydomain.com)

Then I have inspect this file:

 cat /var/log/hestia/LE-admin-mail.mydomain.com.log

I can not analyse more to found the issu.

What can I do, please?

//EDIT : Let’s Debug: find no issu.

sahsanu · August 14, 2024, 9:53am

Hi @floown,

It would be easy to find problems if you share your domain.

What you get when issuing these commands (replace example.net by your actual domain)?

curl -ikL http://mail.example.net/.well-known/acme-challenge/test
curl -ikL http://webmail.example.net/.well-known/acme-challenge/test

Ideally you should test them from an external computer instead of your server, if you can’t, just try to browse these urls:

Remember to replace example.net by the actual domain.

http://mail.example.net/.well-known/acme-challenge/test
http://webmail.example.net/.well-known/acme-challenge/test

floown · August 14, 2024, 7:10pm

Hi!

Sorry, I share the domain.

$ curl -ikL http://mail.hebergement.club/.well-known/acme-challenge/test
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 14 Aug 2024 19:05:12 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://webmail.hebergement.club/.well-known/acme-challenge/test

HTTP/2 200
server: nginx
date: Wed, 14 Aug 2024 19:05:13 GMT
content-type: text/plain; charset=utf-8
content-length: 48

test.BbeioFx8SyDfQWaWhGVNKkXeyWgQVsO8w97Wxxet4wU

$ curl -ikL http://webmail.hebergement.club/.well-known/acme-challenge/test
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 14 Aug 2024 19:06:06 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://webmail.hebergement.club/.well-known/acme-challenge/test

HTTP/2 200
server: nginx
date: Wed, 14 Aug 2024 19:06:06 GMT
content-type: text/plain; charset=utf-8
content-length: 48

test.BbeioFx8SyDfQWaWhGVNKkXeyWgQVsO8w97Wxxet4wU

Regards.

sahsanu · August 14, 2024, 9:09pm

Ok, that looks fine.

Could you please show the output of these commands?

nslookup webmail.hebergement.club
nslookup mail.hebergement.club

If the output shows your ip, all is ok and the problem is in another place so to debug it, execute this command (replace YourUser by the actual user):

bash -x /usr/local/hestia/bin/v-add-letsencrypt-domain YourUser hebergement.club '' yes 2>&1 | tee /tmp/debug_le_hebergement

Whent it finish or if it gets stuck, Ctrl-c and share the file.

cat /tmp/debug_le_hebergement | nc p.27a.net 9999

Note: If you don’t have nc installed:

apt install netcat-openbsd

floown · August 14, 2024, 9:29pm

$ nslookup webmail.hebergement.club
Server:         10.255.255.254
Address:        10.255.255.254#53

Non-authoritative answer:
Name:   webmail.hebergement.club
Address: 163.172.106.81

$ nslookup mail.hebergement.club
Server:         10.255.255.254
Address:        10.255.255.254#53

Non-authoritative answer:
Name:   mail.hebergement.club
Address: 163.172.106.81

I add the last result commands tomorrow.

Have a nice night.

floown · August 15, 2024, 8:48am

Hello,
I have reenter this command, and it gives now no issu.

sahsanu · August 15, 2024, 9:11am

Great! I see the certificate has been updated. Without more info I can’t say what happened but fortunately it was a temporary problem.