Hestia not setting SSL on mail

Hi,

I was able to setup Cloudflare SSL on my web domain. However, I am not able to set the SSL for my mail domain. It’s not even letting me setup Let’s Encrypt.

This is the error I get

Just quick question, just to discard, on your DNS records at Cloudflare, mail records are set with proxy active (orange cloud) ? And what about SSL/TLS encryption, is set to Full (strict) ?

Cloudflare doesnt filter or support mail traffic, you need to remove proxy as written above and use let’s encrypt to generate valid certificates.

1 Like

The mail records are not set to proxy. I do have the SSL/TLS set to full(strict)

mmm, so weird, I have mine set as mentioned with full (strict)… Also A and CNAME records related to mail (unless webmail.example.com) set as DNS only, and all TXT records generated for email were included on cloudflare and it works.

Now you mentioned you were able to set Cloudflare SSL for your domain, but your domain inside HestiaCP has Let’s Encrypt issued for web domain as well ?

Show the output of these commands:

ls -la /etc/exim4/domains/innovativeworks.biz/
cat /etc/exim4/domains/innovativeworks.biz/nginx.conf
cat /etc/exim4/domains/innovativeworks.biz/nginx.conf_letsencrypt
nginx -t
systemctl restart nginx
root@hsp:/home/admin# ls -la /etc/exim4/domains/innovativeworks.biz/
total 48
drwxrwx--x 3 Debian-exim mail 4096 Jul  8 15:11 .
drwxr-x--x 3 root        root 4096 May  4  2024 ..
-rw-rw---- 1 Debian-exim mail   70 Feb 28 05:44 accounts
-rw-rw---- 1 Debian-exim mail    0 Feb 28 05:44 aliases
-rw-rw---- 1 Debian-exim mail    0 Feb 28 05:44 antispam
-rw-rw---- 1 Debian-exim mail    0 Feb 28 05:44 antivirus
-rw-r----- 1 root        taco 1401 Jul 13 20:34 apache2.conf
-rw-rw---- 1 Debian-exim mail  916 Feb 28 05:44 dkim.pem
-rw-rw---- 1 Debian-exim mail    0 Feb 28 05:44 fwd_only
-rw-rw---- 1 Debian-exim mail   15 Feb 28 05:44 ip
-rw-rw---- 1 Debian-exim mail   62 Feb 28 05:44 limits
-rw-r----- 1 root        taco 1127 Jul 13 20:34 nginx.conf
-rw-rw---- 1 Debian-exim mail  159 Jul 13 20:35 nginx.conf_letsencrypt
lrwxrwxrwx 1 Debian-exim mail   63 May  4  2024 nginx.ssl.conf_letsencrypt -> /home/taco/conf/mail/innovativeworks.biz/nginx.conf_letsencrypt
-rw-rw---- 1 dovecot     mail  268 Feb 28 05:44 passwd
-rw-rw---- 1 Debian-exim mail    0 Feb 28 05:44 reject_spam
drwxr-x--- 2 Debian-exim mail 4096 Jul  8 15:11 ssl
root@hsp:/home/admin# cat /etc/exim4/domains/innovativeworks.biz/nginx.conf
server {
        listen      204.188.195.84:80;
        server_name webmail.innovativeworks.biz mail.innovativeworks.biz;
        root        /var/lib/roundcube;
        index       index.php index.html index.htm;
        access_log  /var/log/nginx/domains/webmail.innovativeworks.biz.log combined;
        error_log   /var/log/nginx/domains/webmail.innovativeworks.biz.error.log error;

        include /home/taco/conf/mail/innovativeworks.biz/nginx.forcessl.conf*;

        location ~ /\.(?!well-known\/) {
                deny all;
                return 404;
        }

        location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
                deny all;
                return 404;
        }

        location / {
                alias /var/lib/roundcube/;

                try_files $uri $uri/ =404;

                proxy_pass http://204.188.195.84:8080;

                location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
                        expires 7d;
                        fastcgi_hide_header "Set-Cookie";
                }
        }

        location @fallback {
                proxy_pass http://204.188.195.84:8080;
        }

        location /error/ {
                alias /var/www/document_errors/;
        }

        include /home/taco/conf/mail/innovativeworks.biz/nginx.conf_*;
}
root@hsp:/home/admin# cat /etc/exim4/domains/innovativeworks.biz/nginx.conf_letsencrypt
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
    default_type text/plain;
    return 200 "$1.zHBWYJ7n7W14SkEvEEJw_3FhZ2RSvBuH2mpzfK96qgw";
}
root@hsp:/home/admin# nginx -t
bash: nginx: command not found
root@hsp:/home/admin# systemctl restart nginx
root@hsp:/home/admin#

My domain inside Hestia does not have Let’s Encrypt issued for it. I am using Cloudflare’s SSL.

ohhh, I see now… Not same scenario then… Previously I set my server to use itself as DNS using bind, Lets Encrypt certs were already there for domain and mail, later on I changed all this to cloudflare, but upon checking I’m using only Edge cert. web domain still using Lets encrypt and renewing it, same with mail domain, that was I was asking if you were able to set lets encrypt cert inside Hestia once connected with Cloudflare… I will test some things later today maybe to see if I can replicate issue… In the meantime, lets hope @sahsanu can provide some light, he is really good.

2 Likes

I’m wondering why nginx is not in the root user’s PATH.

echo $PATH
/usr/sbin/nginx -t

Also, could you show the output of this command? It seems like Nginx isn’t aware of the mail configuration.

ls -l /etc/nginx/conf.d/domains/ | grep innovativeworks.biz
root@hsp:/home/admin# ls -l /etc/nginx/conf.d/domains/ | grep innovativeworks.biz
lrwxrwxrwx 1 root root 55 Feb 28 05:44 hsp.innovativeworks.biz.conf -> /home/admin/conf/web/hsp.innovativeworks.biz/nginx.conf
lrwxrwxrwx 1 root root 59 Feb 28 05:44 hsp.innovativeworks.biz.ssl.conf -> /home/admin/conf/web/hsp.innovativeworks.biz/nginx.ssl.conf
lrwxrwxrwx 1 root root 50 Jul 13 20:43 innovativeworks.biz.conf -> /home/taco/conf/web/innovativeworks.biz/nginx.conf
lrwxrwxrwx 1 root root 54 Jul 13 20:43 innovativeworks.biz.ssl.conf -> /home/taco/conf/web/innovativeworks.biz/nginx.ssl.conf
lrwxrwxrwx 1 root root 51 Jul 13 20:34 webmail.innovativeworks.biz.conf -> /home/taco/conf/mail/innovativeworks.biz/nginx.conf

I don’t see any obvious problems.

Please show the output of the following commands:

echo $PATH
/usr/sbin/nginx -t
systemctl status nginx --no-pager -l
lsof -Pn +c0 -i:80,443 -sTCP:LISTEN
root@hsp:/home/admin# echo $PATH
/usr/sbin/nginx -t
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/hestia/bin
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@hsp:/home/admin# systemctl status nginx --no-pager -l
lsof -Pn +c0 -i:80,443 -sTCP:LISTEN
● nginx.service - nginx - high performance web server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled)
     Active: active (running) since Mon 2025-07-14 13:14:42 CDT; 3h 52min ago
       Docs: https://nginx.org/en/docs/
    Process: 2078933 ExecStart=/usr/sbin/nginx -c ${CONFFILE} (code=exited, status=0/SUCCESS)
   Main PID: 2078935 (nginx)
      Tasks: 5 (limit: 9515)
     Memory: 12.6M
        CPU: 410ms
     CGroup: /system.slice/nginx.service
             ├─2078935 "nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf"
             ├─2078936 "nginx: worker process"
             ├─2078937 "nginx: worker process"
             ├─2078938 "nginx: worker process"
             └─2078939 "nginx: worker process"

Jul 14 13:14:42 hsp.innovativeworks.biz systemd[1]: Starting nginx.service - nginx - high performance web server...
Jul 14 13:14:42 hsp.innovativeworks.biz systemd[1]: Started nginx.service - nginx - high performance web server.
COMMAND     PID  USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
nginx   2078935  root    7u  IPv4 9494307      0t0  TCP 204.188.195.84:80 (LISTEN)
nginx   2078935  root    8u  IPv4 9494308      0t0  TCP 204.188.195.84:443 (LISTEN)
nginx   2078936 nginx    7u  IPv4 9494307      0t0  TCP 204.188.195.84:80 (LISTEN)
nginx   2078936 nginx    8u  IPv4 9494308      0t0  TCP 204.188.195.84:443 (LISTEN)
nginx   2078937 nginx    7u  IPv4 9494307      0t0  TCP 204.188.195.84:80 (LISTEN)
nginx   2078937 nginx    8u  IPv4 9494308      0t0  TCP 204.188.195.84:443 (LISTEN)
nginx   2078938 nginx    7u  IPv4 9494307      0t0  TCP 204.188.195.84:80 (LISTEN)
nginx   2078938 nginx    8u  IPv4 9494308      0t0  TCP 204.188.195.84:443 (LISTEN)
nginx   2078939 nginx    7u  IPv4 9494307      0t0  TCP 204.188.195.84:80 (LISTEN)
nginx   2078939 nginx    8u  IPv4 9494308      0t0  TCP 204.188.195.84:443 (LISTEN)
'''

Everything looks fine. I’d need to log in to the server in order to take a closer look.

Well, not sure about this to be honest, I just installed a free Oracle cloud server to test, I have set the domain with just a few records (Note my subdomain record used as hostname on server in this case hestia.luis-fonseca.xyz is not proxied is like only difference I see), I set SSL/TLS on full (strict), hostname got lets encrypt through v-add-letsencrypt-host command, finally I have not created any other cert on cloudflare yet, but I just click to get a lets encrypt cert for mail and was set…
**


**

How would you like me to set that up?

Just for the record.

We have fixed the issue.

The main problem was that OP overwrote the nginx.conf file some time ago during an Nginx update. To fix it:

cd /etc/nginx/
cp nginx.conf nginx.conf.bad
cp /usr/local/hestia/install/deb/nginx/nginx.conf .

The second issue was that OP reached the limit of failed attempts to issue a certificate, and Hestia started ignoring them. I’ve cleared that limit for all the web and mail domains.

for i in $(grep -rlE "LETSENCRYPT_FAIL_COUNT='[1-9][0-9]?'" /usr/local/hestia/data/users/); do sed -i "s/LETSENCRYPT_FAIL_COUNT='[1-9][0-9]*'/LETSENCRYPT_FAIL_COUNT='0'/" "$i";done

And also fixed the 421 Misdirected Request error:

curl -fsSLm15 https://7j.gg/fixnginx421 | sudo bash -s --
6 Likes

WOW!
Glad to hear you were able to help @b_superman1 , quick question dear friend @sahsanu , when you mentioned:

What means is like when we get those message during the updates saying a new version of X config file is available and we need to set that to keep local file config ?

I mean, something like this when is showed for example on Ubuntu (I no longer use Ubuntu BTW haha, I followed your steps and moved everything to Debian)

1 Like

Yes, that’s correct… at least for the services where Hestia modifies the default conf; nginx, apache2, exim4, php, dovecot, vsftpd, proftpd, ssh, mariadb, etc.

2 Likes