LE not working on renewals from site moves

Hi,

I moved all my sites over from Vesta to Hestia using backups created on Vesta. It all seemed to work well (apart from if the passwords were simple from the old server, it wouldn’t create new ones, and thus render the apps unable to connect - but this is fixable by updating the app logins in the scripts)

I now have another issue. I can’t seem to get the LE stuff to renew.

==[Step 5]==

• status: 400
• nonce: 01047cqyVSKcLcCyrF1QYJn9a9r8khF4StVrUqLje2Qcpps
• validation:
• details: Unable to update challenge :: authorization must be pending
• answer: HTTP/2 400
  server: nginx
  date: Wed, 03 Feb 2021 02:20:15 GMT
  content-type: application/problem+json
  content-length: 144
  boulder-requester: 69658433
  cache-control: public, max-age=0, no-cache
  link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
  replay-nonce: 01047cqyVSKcLcCyrF1QYJn9a9r8khF4StVrUqLje2Qcpps

{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Unable to update challenge :: authorization must be pending”,
“status”: 400
}

==[Abort Step 5]==
=> Wrong status

I get the " authorization must be pending" error via email. I’ve had this before on some of the sites, and all I did was remove the Lets Encrypt setting for the domain, save, and then set it up again - but it still gives me the error:

Error: Let’s Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending

I’ve even tried adding another sub-domain, to try and get LE to issue a new certificate, but even that doesn’t work

Going by this the error is due to it not matching:

https://acme-v02.api.letsencrypt.org/acme/chall-v3/10538968702/ePtJHQ

What am I missing? (this particular site is just the standard “Wordpress” theme that comes with Hestia)

Cheers

Andy

Disable force ssl

Hi,

Thanks for the quick reply. I assume you mean “Enable automatic HTTPS redirection”? I tried that, but still no joy

I still get:

Error: Let’s Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending

Cheers

Andy

What DNS servers are you using?

https://docs.hestiacp.com/admin_docs/ssl_certificates.html

Linode. The ipv4 and ipv6 are both set to the new server. This is the new Linodes IPs:

…and this is the DNS settings for that domain:

Screenshot_2021-02-03 octobrachia com - DNS Records Linode Manager727×496 18.9 KB

The move was done quite a while back (2 or so weeks ago), so the DNS should have updated to the LE already

Remove IPv6, it can’t be validated from let’s encrypt which causes a LE400

Hmmm really? I’ve used IPv6 fine on Vesta, and since on new sites with Hestia?

On a side note - does Hestia work with DNS validation for domains and LE?

Aaah I got it!!! I compared my old Vesta templates with the new ones, and noticed that the .tpl file was missing the ipv6 listener:

listen [::]:%web_port%;

…and the .stpl was missing:

listen [::]:%web_port% ssl http2;

I added that in, rebuilt the domain, and voila - it works Maybe worth adding that into the distro in all the .tpl/.tpls files templates?)

Cheers

Andy

Will be part of the IPv6 implementation - work pending .

Thanks - keep up the good work

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.