When I first installed the panel, the certificate was issued correctly, but now when I try to create a certificate I get an error
Error: Let's Encrypt validation status 400 (domain). Details: 403:"IP: Invalid response from http://domain/.well-known/acme-challenge/UM_HlDbYaz-VXF0QU7rioTbuQtLSBTn1gj1X0lv4kRs: 404"
As if this doesn’t have enough rights to create this folders and file?
And for some reason the redirect settings stopped working…
sahsanu
January 13, 2024, 10:12am
2
Hestia doesn’t create neither the dir nor file, what it does is create an addtional nginx conf for your domain returning the token.
The conf file should be here:
/home/YourUser/conf/web/YourDomain/nginx.conf_letsencrypt
And you should also have a symlink for nginx.ssl.conf_letsencrypt
that points to previous one conf file.
With a content like this:
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
default_type text/plain;
return 200 "$1.EXAMPLE_wPWYp-qlxMDXAo77xFqhsAabjFHgYtyg3dk";
}
Are you sure your domain is pointing to your server?
1 Like
alferus
January 13, 2024, 10:13am
3
LE log for this domain
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "IP: Invalid response from http://domain/.well-known/acme-challenge/7u4u4tTuYm7YdjgSk-oDTUbkrFQtYnaH_HbNxs7L7ag: 404",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/303714199546/9KGgfw",
"token": "7u4u4tTuYm7YdjgSk-oDTUbkrFQtYnaH_HbNxs7L7ag",
"validationRecord": [
{
"url": "http://domain/.well-known/acme-challenge/7u4u4tTuYm7YdjgSk-oDTUbkrFQtYnaH_HbNxs7L7ag",
"hostname": "domain",
"port": "80",
"addressesResolved": [
"IP"
],
"addressUsed": "IP"
}
],
"validated": "2024-01-13T09:24:36Z"
}
and ngint -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Blats
January 13, 2024, 10:14am
4
Do you have enable the: Enable automatic HTTPS redirection?
1 Like
alferus
January 13, 2024, 10:16am
5
In nginx.conf_letsencrypt and nginx.ssl.conf_letsencrypt i see
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
default_type text/plain;
return 200 "$1.9Vz_zdIKqk1BRE-C3qZU7TxZtLMUKQy2lCyWnwoLnn4";
}
domain points to my server correctly
alferus
January 13, 2024, 10:19am
6
no, I’m just trying to create a certificate and it worked before
sahsanu
January 13, 2024, 10:20am
7
From another computer try to reach the file:
curl -kL http://YourDomain/.well-known/acme-challenge/test
You should see the response:
test.9Vz_zdIKqk1BRE-C3qZU7TxZtLMUKQy2lCyWnwoLnn4
If you share the domain name we could test it.
alferus
January 13, 2024, 10:22am
8
for example domain test2.uat.sibcode.team
sahsanu
January 13, 2024, 10:27am
9
alferus:
test2.uat.sibcode.team
Show the contents of:
cat /home/YourUser/conf/web/test2.uat.sibcode.team/nginx.conf
cat /home/YourUser/conf/web/test2.uat.sibcode.team/nginx.conf_letsencrypt
alferus
January 13, 2024, 10:29am
10
root@uat:/# cat /home/test/conf/web/test2.uat.sibcode.team/nginx.conf
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
server {
listen 92.63.104.162:80;
server_name test2.uat.sibcode.team www.test2.uat.sibcode.team;
error_log /var/log/apache2/domains/test2.uat.sibcode.team.error.log error;
include /home/test/conf/web/test2.uat.sibcode.team/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
location / {
proxy_pass http://92.63.104.162:8080;
location ~* ^.+\.(css|htm|html|js|json|xml|apng|avif|bmp|cur|gif|ico|jfif|jpg|jpeg|pjp|pjpeg|png|svg|tif|tiff|webp|aac|caf|flac|m4a|midi|mp3|ogg|opus|wav|3gp|av1|avi|m4v|mkv|mov|mpg|mpeg|mp4|mp4v|webm|otf|ttf|woff|woff2|doc|docx|odf|odp|ods|odt|pdf|ppt|pptx|rtf|txt|xls|xlsx|7z|bz2|gz|rar|tar|tgz|zip|apk|appx|bin|dmg|exe|img|iso|jar|msi|webmanifest)$ {
try_files $uri @fallback;
root /home/test/web/test2.uat.sibcode.team/public_html;
access_log /var/log/apache2/domains/test2.uat.sibcode.team.log combined;
access_log /var/log/apache2/domains/test2.uat.sibcode.team.bytes bytes;
expires max;
}
}
location @fallback {
proxy_pass http://92.63.104.162:8080;
}
location /error/ {
alias /home/test/web/test2.uat.sibcode.team/document_errors/;
}
include /home/test/conf/web/test2.uat.sibcode.team/nginx.conf_*;
}
root@uat:/# cat /home/test/conf/web/test2.uat.sibcode.team/nginx.conf_letsencrypt
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
default_type text/plain;
return 200 "$1.9Vz_zdIKqk1BRE-C3qZU7TxZtLMUKQy2lCyWnwoLnn4";
}
sahsanu
January 13, 2024, 10:36am
11
Conf file looks good but your domain is using 2 dns servers that doesn’t resolve:
> dig test2.uat.sibcode.team ns +short
ns2.sibcode.team.
ns1.sibcode.team.
> dig @ns1.sibcode.team test2.uat.sibcode.team
dig: couldn't get address for 'ns1.sibcode.team': not found
> dig @ns2.sibcode.team test2.uat.sibcode.team
dig: couldn't get address for 'ns2.sibcode.team': not found
> dig ns1.sibcode.team +short
> dig ns2.sibcode.team +short
2 Likes
alferus
January 13, 2024, 11:02am
13
It looks like somehow NS servers were reset in the settings HestiaCP, now I wrote ns1.uat .sibcode.team and ns2.uat .sibcode.team instead. Will wait and check later.
Please clarify, for the main admin user, the host domain created during installation of the panel should have DNS settings? For some reason they were not created and I created them manually and specified Template BIND9 child-ns, as i have recently in VestaCP.
alferus
January 13, 2024, 11:26am
15
I fixed the server’s NS, rebooted the server and the certificate was successfully issued. But when opening a domain https://test2.uat.sibcode.team it gives an error as if the certificate is not valid.
alferus
January 13, 2024, 11:33am
16
I just created a new test domain test4.uat.sibcode.team and the certificate is not created, the error is the same(
sahsanu
January 13, 2024, 1:16pm
17
So weird, please, show this output:
ls -la /etc/nginx/conf.d/domains/
alferus
January 13, 2024, 1:34pm
18
Result for these domains:
root@uat:/# ls -la /etc/nginx/conf.d/domains/
total 348
drwxr-xr-x 2 root root 24576 Jan 13 14:54 .
drwxr-xr-x 4 root root 4096 Jan 5 10:30 ..
...
lrwxrwxrwx 1 root root 51 Jan 13 12:20 test.uat.sibcode.team.conf -> /home/uat/conf/web/test.uat.sibcode.team/nginx.conf
lrwxrwxrwx 1 root root 53 Jan 13 12:57 test2.uat.sibcode.team.conf -> /home/test/conf/web/test2.uat.sibcode.team/nginx.conf
lrwxrwxrwx 1 root root 57 Jan 13 14:19 test2.uat.sibcode.team.ssl.conf -> /home/test/conf/web/test2.uat.sibcode.team/nginx.ssl.conf
lrwxrwxrwx 1 root root 53 Jan 13 14:04 test3.uat.sibcode.team.conf -> /home/test/conf/web/test3.uat.sibcode.team/nginx.conf
lrwxrwxrwx 1 root root 57 Jan 13 14:54 test3.uat.sibcode.team.ssl.conf -> /home/test/conf/web/test3.uat.sibcode.team/nginx.ssl.conf
lrwxrwxrwx 1 root root 53 Jan 13 14:27 test4.uat.sibcode.team.conf -> /home/test/conf/web/test4.uat.sibcode.team/nginx.conf
lrwxrwxrwx 1 root root 53 Jan 13 14:47 test5.uat.sibcode.team.conf -> /home/test/conf/web/test5.uat.sibcode.team/nginx.conf
...
Maybe we need to wait some more time?
sahsanu
January 13, 2024, 1:59pm
19
I don’t think that waiting will fix it. It’s like nginx is not getting the right conf for your domains.
If you restart nginx it works?
systemctl restart nginx
Show the output of this:
grep -i include /etc/nginx/nginx.conf
alferus
January 13, 2024, 2:20pm
20
After rebooting systemctl restart nginx
the certificate started working correctly for test2. It looks like the Nginx setting is now updated only after a manual reboot.
root@uat:/# grep -i include /etc/nginx/nginx.conf
include /etc/nginx/conf.d/main/*.conf;
include /etc/nginx/modules-enabled/*.conf;
include /etc/nginx/mime.types;
include /etc/nginx/conf.d/cloudflare.inc;
# Wildcard include
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/conf.d/domains/*.conf;