When I first installed the panel, the certificate was issued correctly, but now when I try to create a certificate I get an error
Error: Let's Encrypt validation status 400 (domain). Details: 403:"IP: Invalid response from http://domain/.well-known/acme-challenge/UM_HlDbYaz-VXF0QU7rioTbuQtLSBTn1gj1X0lv4kRs: 404"
As if this doesn’t have enough rights to create this folders and file?
And for some reason the redirect settings stopped working…
Hestia doesn’t create neither the dir nor file, what it does is create an addtional nginx conf for your domain returning the token.
The conf file should be here:
/home/YourUser/conf/web/YourDomain/nginx.conf_letsencrypt
And you should also have a symlink for nginx.ssl.conf_letsencrypt that points to previous one conf file.
With a content like this:
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
default_type text/plain;
return 200 "$1.EXAMPLE_wPWYp-qlxMDXAo77xFqhsAabjFHgYtyg3dk";
}
Are you sure your domain is pointing to your server?
LE log for this domain
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "IP: Invalid response from http://domain/.well-known/acme-challenge/7u4u4tTuYm7YdjgSk-oDTUbkrFQtYnaH_HbNxs7L7ag: 404",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/303714199546/9KGgfw",
"token": "7u4u4tTuYm7YdjgSk-oDTUbkrFQtYnaH_HbNxs7L7ag",
"validationRecord": [
{
"url": "http://domain/.well-known/acme-challenge/7u4u4tTuYm7YdjgSk-oDTUbkrFQtYnaH_HbNxs7L7ag",
"hostname": "domain",
"port": "80",
"addressesResolved": [
"IP"
],
"addressUsed": "IP"
}
],
"validated": "2024-01-13T09:24:36Z"
}
and ngint -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Do you have enable the: Enable automatic HTTPS redirection?
In nginx.conf_letsencrypt and nginx.ssl.conf_letsencrypt i see
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
default_type text/plain;
return 200 "$1.9Vz_zdIKqk1BRE-C3qZU7TxZtLMUKQy2lCyWnwoLnn4";
}
domain points to my server correctly
no, I’m just trying to create a certificate and it worked before
From another computer try to reach the file:
curl -kL http://YourDomain/.well-known/acme-challenge/test
You should see the response:
test.9Vz_zdIKqk1BRE-C3qZU7TxZtLMUKQy2lCyWnwoLnn4
If you share the domain name we could test it.
for example domain test2.uat.sibcode.team
Show the contents of:
cat /home/YourUser/conf/web/test2.uat.sibcode.team/nginx.conf
cat /home/YourUser/conf/web/test2.uat.sibcode.team/nginx.conf_letsencrypt
root@uat:/# cat /home/test/conf/web/test2.uat.sibcode.team/nginx.conf
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
server {
listen 92.63.104.162:80;
server_name test2.uat.sibcode.team www.test2.uat.sibcode.team;
error_log /var/log/apache2/domains/test2.uat.sibcode.team.error.log error;
include /home/test/conf/web/test2.uat.sibcode.team/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
location / {
proxy_pass http://92.63.104.162:8080;
location ~* ^.+\.(css|htm|html|js|json|xml|apng|avif|bmp|cur|gif|ico|jfif|jpg|jpeg|pjp|pjpeg|png|svg|tif|tiff|webp|aac|caf|flac|m4a|midi|mp3|ogg|opus|wav|3gp|av1|avi|m4v|mkv|mov|mpg|mpeg|mp4|mp4v|webm|otf|ttf|woff|woff2|doc|docx|odf|odp|ods|odt|pdf|ppt|pptx|rtf|txt|xls|xlsx|7z|bz2|gz|rar|tar|tgz|zip|apk|appx|bin|dmg|exe|img|iso|jar|msi|webmanifest)$ {
try_files $uri @fallback;
root /home/test/web/test2.uat.sibcode.team/public_html;
access_log /var/log/apache2/domains/test2.uat.sibcode.team.log combined;
access_log /var/log/apache2/domains/test2.uat.sibcode.team.bytes bytes;
expires max;
}
}
location @fallback {
proxy_pass http://92.63.104.162:8080;
}
location /error/ {
alias /home/test/web/test2.uat.sibcode.team/document_errors/;
}
include /home/test/conf/web/test2.uat.sibcode.team/nginx.conf_*;
}
root@uat:/# cat /home/test/conf/web/test2.uat.sibcode.team/nginx.conf_letsencrypt
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
default_type text/plain;
return 200 "$1.9Vz_zdIKqk1BRE-C3qZU7TxZtLMUKQy2lCyWnwoLnn4";
}
Conf file looks good but your domain is using 2 dns servers that doesn’t resolve:
> dig test2.uat.sibcode.team ns +short
ns2.sibcode.team.
ns1.sibcode.team.
> dig @ns1.sibcode.team test2.uat.sibcode.team
dig: couldn't get address for 'ns1.sibcode.team': not found
> dig @ns2.sibcode.team test2.uat.sibcode.team
dig: couldn't get address for 'ns2.sibcode.team': not found
> dig ns1.sibcode.team +short
> dig ns2.sibcode.team +short
It looks like somehow NS servers were reset in the settings HestiaCP, now I wrote ns1.uat.sibcode.team and ns2.uat.sibcode.team instead. Will wait and check later.
Please clarify, for the main admin user, the host domain created during installation of the panel should have DNS settings? For some reason they were not created and I created them manually and specified Template BIND9 child-ns, as i have recently in VestaCP.
Now it seems fine.
I fixed the server’s NS, rebooted the server and the certificate was successfully issued. But when opening a domain https://test2.uat.sibcode.team it gives an error as if the certificate is not valid.
I just created a new test domain test4.uat.sibcode.team and the certificate is not created, the error is the same(
So weird, please, show this output:
ls -la /etc/nginx/conf.d/domains/
Result for these domains:
root@uat:/# ls -la /etc/nginx/conf.d/domains/
total 348
drwxr-xr-x 2 root root 24576 Jan 13 14:54 .
drwxr-xr-x 4 root root 4096 Jan 5 10:30 ..
...
lrwxrwxrwx 1 root root 51 Jan 13 12:20 test.uat.sibcode.team.conf -> /home/uat/conf/web/test.uat.sibcode.team/nginx.conf
lrwxrwxrwx 1 root root 53 Jan 13 12:57 test2.uat.sibcode.team.conf -> /home/test/conf/web/test2.uat.sibcode.team/nginx.conf
lrwxrwxrwx 1 root root 57 Jan 13 14:19 test2.uat.sibcode.team.ssl.conf -> /home/test/conf/web/test2.uat.sibcode.team/nginx.ssl.conf
lrwxrwxrwx 1 root root 53 Jan 13 14:04 test3.uat.sibcode.team.conf -> /home/test/conf/web/test3.uat.sibcode.team/nginx.conf
lrwxrwxrwx 1 root root 57 Jan 13 14:54 test3.uat.sibcode.team.ssl.conf -> /home/test/conf/web/test3.uat.sibcode.team/nginx.ssl.conf
lrwxrwxrwx 1 root root 53 Jan 13 14:27 test4.uat.sibcode.team.conf -> /home/test/conf/web/test4.uat.sibcode.team/nginx.conf
lrwxrwxrwx 1 root root 53 Jan 13 14:47 test5.uat.sibcode.team.conf -> /home/test/conf/web/test5.uat.sibcode.team/nginx.conf
...
Maybe we need to wait some more time?
I don’t think that waiting will fix it. It’s like nginx is not getting the right conf for your domains.
If you restart nginx it works?
systemctl restart nginx
Show the output of this:
grep -i include /etc/nginx/nginx.conf
After rebooting systemctl restart nginx the certificate started working correctly for test2. It looks like the Nginx setting is now updated only after a manual reboot.
root@uat:/# grep -i include /etc/nginx/nginx.conf
include /etc/nginx/conf.d/main/*.conf;
include /etc/nginx/modules-enabled/*.conf;
include /etc/nginx/mime.types;
include /etc/nginx/conf.d/cloudflare.inc;
# Wildcard include
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/conf.d/domains/*.conf;