I am not sure why, but Enable automatic HTTPS redirection turns off automatically for few domains by default. I generally find it when I cross-check my PrivateBininstallation, and see that few others have also turned off automatically. How can I find out what causes this? Which logs can I see? Also, I do not know when it actually happens, as I do not check each domain daily on control panel.
Could you please show the output of these commands (replace YourUser and YourDomain with the actual data)?
v-list-web-domain YourUser YourDomain json
ls -la /home/YourUser/conf/web/YourDomain/
grep is_restart_format_valid /usr/local/hestia/bin/v-add-web-domain-ssl
Usually that issue happens when the certificate must be renewed so v-update-letsencrypt-ssl runs and it executes v-add-letsencrypt-domain and during the add process it executes v-delete-web-domain-ssl-force that removes the redirection. The redirection will be added again later but if for some reason the script fails, the redirection keeps removed.
Are you having any issues renewing your certificates?
I have made manual changes and via the UI set the HTTPS back. However, yes, sometimes the domain SSL fails automatically, but not always. For the domains I just changed, these did not fail SSL renewal.
v-list-web-domain user pb.domain.tld.in json
{
"domain.tld": {
"IP": "IP",
"IP6": "",
"DOCUMENT_ROOT": "/home/user/web/domain.tld/public_html/",
"U_DISK": "6",
"U_BANDWIDTH": "1",
"TPL": "default",
"ALIAS": "www.domain.tld",
"STATS": "",
"STATS_USER": "",
"SSL": "yes",
"SSL_FORCE": "yes",
"SSL_HSTS": "yes",
"SSL_HOME": "same",
"LETSENCRYPT": "yes",
"FTP_USER": "",
"FTP_PATH": "",
"AUTH_USER": "",
"BACKEND": "default",
"PROXY": "hosting",
"PROXY_EXT": "css,htm,html,js,mjs,json,xml,apng,avif,bmp,cur,gif,ico,jfif,jpg,jpeg,pjp,pjpeg,png,svg,tif,tiff,webp,aac,caf,flac,m4a,midi,mp3,ogg,opus,wav,3gp,av1,a vi,m4v,mkv,mov,mpg,mpeg,mp4,mp4v,webm,otf,ttf,woff,woff2,doc,docx,odf,odp,ods,odt,pdf,ppt,pptx,rtf,txt,xls,xlsx,7z,bz2,gz,rar,tar,tgz,zip,apk,appx,bin,dmg,exe,img,iso,jar, msi,webmanifest",
"FASTCGI_CACHE": "no",
"FASTCGI_DURATION": "0s",
"REDIRECT": "",
"REDIRECT_CODE": "",
"CUSTOM_DOCROOT": "",
"SUSPENDED": "no",
"TIME": "14:55:15",
"DATE": "2024-11-20"
}
}
grep is_restart_format_valid /usr/local/hestia/bin/v-add-web-domain-ssl
is_restart_format_valid "$restart" 'restart'
ls -la /home/user/conf/web/domain.tld/
total 44
drwxr-xr-x 3 root root 4096 May 17 12:44 .
drwxr-x--x 13 root root 4096 May 17 15:51 ..
-rw-r----- 1 root user 1713 Mar 30 16:20 apache2.conf
-rw-r----- 1 root user 1978 Mar 30 16:20 apache2.ssl.conf
-rw-r----- 1 root user 1685 Mar 30 16:20 nginx.conf
-rw-r--r-- 1 root root 159 Apr 28 03:32 nginx.conf_letsencrypt
-rw-r----- 1 root user 38 May 17 12:44 nginx.forcessl.conf
-rw-r----- 1 root user 65 May 17 12:44 nginx.hsts.conf
-rw-r----- 1 root user 2094 Mar 30 16:20 nginx.ssl.conf
-rw-r--r-- 1 root root 159 Nov 20 19:25 nginx.ssl.conf_letsencrypt
drwxr-xr-x 2 root root 4096 Apr 28 03:32 ssl
Now all looks fine.
If the issue doesn’t happen when renewing certs, then I don’t know what’s going on because, v-delete-web-domain-ssl-force is only used when rebuilding the web domain and when v-add-letsencrypt-domain is executed. Regarding rebuilding, it deletes it and just after that it adds the redirection again so my guess is some issue when executing v-add-letsencrypt-domain.
Check the logs just in case:
grep -Ei 'letsencrypt|ssl' /var/log/hestia/{system.log,error.log}
Seen many errors. Logs here: Paste
For example, checking translate.domain.tld:
/var/log/hestia/system.log:2025-05-09 22:01:56 v-delete-web-domain-ssl-force 'user' 'translate.domain.tld' 'no' 'yes'
/var/log/hestia/error.log:2025-05-09 22:01:56 v-add-web-domain-ssl-force 'user' 'translate.domain.tld' 'no' 'yes' [Error 5]
On May 9th, Hestia deleted the redirection, but when attempting to add it again, it failed. Error 5 indicates that the domain is suspended.
Sorry, I should have mentioned. Ignore the suspended ones, as those are not the ones I was referring to. My bad on that one.
But for the let’s say 4g.domain one, or hfs.domain one are amongst the ones I faced issues with.
Last couple of days logs. All of these domains are up/working, but I keep getting these errors.
Also, my git and all other ones, including the paste one went force-ssl again to no. This seems to be happening daily.
Also, every time I try to update the force ssl/https from UI, my apache2 restart fails. Every single time. For every domain that is there. This is another issue.
v-list-web-domain user git.domain.tld json
{
"git.domain.tld": {
"IP": "IPADDR",
"IP6": "",
"DOCUMENT_ROOT": "/home/user/web/git.domain.tld/public_html/",
"U_DISK": "1",
"U_BANDWIDTH": "4947",
"TPL": "Git",
"ALIAS": "www.git.domain.tld",
"STATS": "",
"STATS_USER": "",
"SSL": "yes",
"SSL_FORCE": "no",
"SSL_HSTS": "yes",
"SSL_HOME": "same",
"LETSENCRYPT": "yes",
"FTP_USER": "",
"FTP_PATH": "",
"AUTH_USER": "",
"BACKEND": "default",
"PROXY": "Git",
"PROXY_EXT": "css,htm,html,js,json,xml,apng,avif,bmp,cur,gif,ico,jfif,jpg,jpeg,pjp,pjpeg,png,svg,tif,tiff,webp,aac,caf,flac,m4a,midi,mp3,ogg,opus,wav,3gp,av1,avi,m4v,mkv,mov,mpg,mpeg,mp4,mp4v,webm,otf,ttf,woff,woff2,doc,docx,odf,odp,ods,odt,pdf,ppt,pptx,rtf,txt,xls,xlsx,7z,bz2,gz,rar,tar,tgz,zip,apk,appx,bin,dmg,exe,img,iso,jar,msi,webmanifest",
"FASTCGI_CACHE": "no",
"FASTCGI_DURATION": "0s",
"REDIRECT": "",
"REDIRECT_CODE": "",
"CUSTOM_DOCROOT": "",
"SUSPENDED": "no",
"TIME": "22:13:51",
"DATE": "2024-11-20"
}
}
grep is_restart_format_valid /usr/local/hestia/bin/v-add-web-domain-ssl
is_restart_format_valid "$restart" 'restart'
Let’s focus on one domain: git.domain.tld
/var/log/hestia/error.log:2025-05-18 03:32:08 v-add-letsencrypt-domain 'user' 'git.domain.tld' 'www.git.domain.tld' [Error 15]
/var/log/hestia/error.log:2025-05-18 03:32:08 v-update-letsencrypt-ssl git.domain.tld Error: Let's Encrypt nonce request status (git.domain.tld) [Error 2]
To me, it’s clear that Hestia removes the redirection when it tries to renew the certificate for the git domain. Since the renewal fails, the redirection is not restored.
To know the reason, check the log /var/log/hestia/LE-user-git.domain.tld.log
You can also debug the command manually:
bash -x /usr/local/hestia/bin/v-add-letsencrypt-domain user git.domain.tld www.git.domain.tld 2>&1 | tee /tmp/git-v-add-letsencrypt-domain.debug
Show also this output (replace user with the actual user):
grep LETSENCRYPT_FAIL_COUNT /usr/local/hestia/data/users/user/web.conf
For the LE file and debug output, please share them unedited. If you don’t want to post them publicly, just send me a private message.
You must try to fix that.
1 Like
Unfortunately, it happens when trying to force HTTPS, or apply SSL. Every single time. Tried various places to solve the issue, but there are no clear guidance. Will keep trying.
So, git one successfully got the LE generated and all, but when I tried the 4g one, it went into an infinite loop of sleep2 (had to CTRL+C to break) and also removed the https (of course). Now I can try only tomorrow. Anyways the default cert is expiring May 21st for this domain, so I will wait it out for auto-renewal, I guess.
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Unable to update challenge :: authorization must be pending",
"status": 400
}'
++ grep addressesResolved
+ [[ '' != '' ]]
+ i=28
+ (( i > 30 ))
+ sleep 2
All it showed was this (literally copied with the spaces in the file):
=============================
Date Time: 2025-05-18 03:32:06
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: user
domain: git.domain.tld
- aliases: www.git.domain.tld
- proto: http-01
- wildcard:
==[Step 1]==
- status:
- nonce:
- answer:
Will respond with rest of the details later on. Power outage and my laptop battery can die anytime.
Edit. @sahsanu pinged you with the debug files. Please check.
1 Like