Hestia 1.4.14, Debian 11 and bug in Lets Encrypt

Community Support
1

I have Hestia v1.4.14
Debian 11.0 (x86_64)
Default install

I have a problem installing Lets Encrypt certificates. All necessary records for the domain are set correctly.
Once after rebooting or restarting nginx, the certificate is installed correctly. When I try to issue a certificate for any other domain or subdomain, I get an error.

Error: Let’s Encrypt validation status 400 (domain). Details: Unable to update challenge :: authorization must be pending

If you restart nginx, then a second attempt without changing anything is successful.
I believe that this is a panel bug and it cannot re-save the config correctly or restart nginks after installing the certificate.

in /var/log/hestia/LE-***domain
Step 1 = status: 200
Step 2 = status: 201
Step 3 = status: 200

==[Step 5]==

  • status: 400
  • nonce: 0101nW_rSe-c4JjUUPlmWu6BtdZOLhmMcR2V2bu-4KrOzCs
  • validation:
  • details: Unable to update challenge :: authorization must be pending
  • answer: HTTP/2 400
    server: nginx
    date: Mon, 27 Sep 2021 11:39:54 GMT
    content-type: application/problem+json
    content-length: 144
    boulder-requester: 215495970
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
    replay-nonce: 0101nW_rSe-c4JjUUPlmWu6BtdZOLhmMcR2V2bu-4KrOzCs

{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Unable to update challenge :: authorization must be pending”,
“status”: 400
}

==[Abort Step 5]==

How to solve this problem?

2

Sounds like a config issue, are you using any custom template?

3

Check:

https://docs.hestiacp.com/admin_docs/web/ssl_certificates.html

Try to find a json structure that looks like:

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/12520447717/scDRXA”,
“token”: “9yriok5bpLtV__m-rZ8f2tQmrfeQli0tCxSj4iNkv2Y”
}

If you copy https://acme-v02.api.letsencrypt.org/acme/chall-v3/12520447717/scDRXA you will see the exact reason why it failed

4

No. Only default template

5

{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from http://domain/.well-known/acme-challenge/71lNtaM1-yb0VCxx9_WEfpEwiC4Hx2qbQtkgpk6nQ8M [*5.*8.*3.*5]: 500”,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/34795043820/*****”,
“token”: “71lNtaM1-yb0VCxx9_WEfpEwiC4Hx2qbQtkgpk6nQ8M”,
“validationRecord”: [
{
“url”: “http://domain/.well-known/acme-challenge/71lNtaM1-yb0VCxx9_WEfpEwiC4Hx2qbQtkgpk6nQ8M”,
“hostname”: “domain”,
“port”: “80”,
“addressesResolved”: [
“*5.*8.*3.*5”
],
“addressUsed”: “*5.*8.*3.*5”
}
],
“validated”: “2021-09-27T11:39:50Z”
}

What is it ??

6

if this is the correct ip and so on I will need more information domain name and so on. Otherwise I can’t do any thing…

7

How can I write you a private message?
The service does not pass the message with links.

8

This is not a panel problem.
When setting the name for the panel, a forced call to the https was assigned. As a result, any created site required even without a certificate of its presence.
The issuance of Lest Encrypt faced an information warning and therefore did not issue a certificate.