Hestia 1.7.3 SSL Let's encrypt Wrong status

Community Support
1

When I try to get the certificate “Let’s encrypt” I get an error.
I am using cloudflare.Proxy and SSL/TLS encryption mode is disabled.I use nginx + php-fpm as a web server(). Hestia Control Panel v1.7.3 Ubuntu 22.04.2 LTS Here is what I found in the logs.

nginx

nginx: configuration file /etc/nginx/nginx.conf test is successful

Let’s Debug :

Test result for my-domain.com using http-01
All OK!
OK

==[Debug information Step 5]==
{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "2606:4700:3033::6815:103f: Fetching https://my-domain.com/: Redirect loop detected",
    "status": 400
  },

....
    }
  ],
  "validated": "2023-04-28T09:13:58Z"
}


==[Abort Step 5]==
=> Wrong status
2

What happens is your move the ipv6?

1 Like
3

Also

http://xxxxxxx-casinoau.com/.well-known/acme-challenge/RW9-cG-5ypWuk9C6nMaTd__qth3bqFDpd5JoGE9L-vM

redirects to

http://xxxxxxx-casinoau.com/

1 Like
4

I have disabled support ipv6 on server (in DigitalOcean Droplet).

5

I’m not sure, but it seems that the cloudflare error was displayed.

image
image1172×243 13.5 KB

This may be due to the non-switchable setting?

6

That’s right. This is my domain.

7

You need to update Cloudflare to disable ipv6

You should also “disable” the domain redirect for now and then try to request an ssl…

8

Thanks for the help. I delved into the topic and learned a lot about certificates. The problem was the error related to incorrectly specified dns for www.

9

You cannot disable IPv6 when using the Cloudflare proxy. Traffic from Cloudflare to the origin server will (surprisingly) always prefer IPv4 when both an A and AAAA record have been created in Cloudflare DNS. Since Hestia CP does not currently support IPv6, there is no reason to add a AAAA record to Cloudflare DNS. When proxied, a AAAA record will still be published, but traffic to the origin will use IPv4.

This is the secret. When using ACME HTTP-01 challenges, it is important to configure Cloudflare to not interfere with the challenge. I exclude the .well-known/acme-challenge path from HTTPS and caching. I really need to author a comprehensive guide that I can just link to.

1 Like
10

acme supports ipv6 what is the issue here ?

11

Hestia doesn’t support ipv6 on default…

Still working on it…

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.