Error: Let's Encrypt nonce request status in hestia 1.2.3

dao · September 8, 2020, 5:16am

I get an “Error: Let’s Encrypt nonce request status” in hestia 1.2.3 / ubuntu 20.04 with checkbox Lets Encrypt support. I saw old threads about this problem but those solutions don’t help.
2020-09-08 08:28:10 v-add-letsencrypt-domain … [Error 15]
Webserver nginx (default) + apache (default) + php-fpm (php 7_4). apt update && apt upgrade done. Сan anyone help?

parzival · September 8, 2020, 7:40am

Do you have nginx and apache run at the same time? That could pose a problem for cert-bot. If you have apache on 80 and nginx on 8080 for example, try to turn off nginx and then update your certificate.
Also, since Im new to Hestia and not sure how certbot works in this panel, if above fails you could turn off both webservers (if not mistaken cert-bot has its own webserver for cert update). Just make sure port 80 is open to the internet.

eris · September 8, 2020, 7:42am

We don’t use cert bot…

Check https://github.com/hestiacp/hestiacp/blob/main/bin/v-add-letsencrypt-domain for the source code

eris · September 8, 2020, 7:44am

@doa

Are you using Hestia DNS? If so can you check if it is working propperly

github.com

hestiacp/hestiacp/blob/0682fce04111b8e6ad2b53fae4f0cdb805348942/bin/v-add-letsencrypt-domain#L160-L174


# Requesting nonce / STEP 1
answer=$(curl -s -I "$LE_API/directory")
nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
if [[ "$status" -ne 200 ]]; then
    # Delete DNS CAA record
    if [ ! -z "$DNS_SYSTEM" ]; then
        if [ "$dns_domain" = "$domain" ]; then
            if [ ! -z "$caa_record" ]; then
                $BIN/v-delete-dns-record $user $domain $caa_record
            fi
        fi
    fi
    check_result $E_CONNECT "Let's Encrypt nonce request status $status"
fi

dao · September 8, 2020, 9:04am

yes i use Hestia DNS. I didn’t really understand how to check it. Websites work. Let’s Encrypt error.
I manually received the certificate and entered it into the panel and everything works. But I would like an automatic renewal…

parzival · September 8, 2020, 9:08am

How do you mean manually? Can you be more specific?

dao · September 8, 2020, 9:12am

https://freessl.space received and copied to the panel.

eris · September 8, 2020, 9:16am

systemctl status bind9

Is always a good start

parzival · September 8, 2020, 9:25am

Ok, this does not seem like a good way to get a cert.
And the info about the error is quite obscure. … [Error 15]
There are few resons why renewal could fail: webserver, wirewall or dns. Fast DNS check could be obtained on intodns.com.

dao · September 8, 2020, 9:25am

● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2020-09-08 07:50:01 MSK; 4h 29min ago
Docs: man:named(8)
Process: 21414 ExecReload=/usr/sbin/rndc reload (code=exited, status=0/SUCCESS)
Main PID: 1449 (named)
Tasks: 98 (limit: 154406)
Memory: 747.2M
CGroup: /system.slice/named.service
└─1449 /usr/sbin/named -f -u bind

Sep 08 12:18:24 … named[1449]: client @0x7fc030332640 zone transfer …/AXFR/IN’ denied

parzival · September 8, 2020, 9:39am

firewall??