Let’s Encrypt SSL Generation (Error: Let's Encrypt finalize bad status 403)

Hi guys, hope you’re having a great time.

I’m totally new to HestiaCP and I got setup my server for the first time. I’m planning to use my server as only Mail Server and I facing some issues with it.

Firstly, my hostname ssl was not issued and I tried to issue manually using HestiaCP (hCP) and it throw me an error. Moving on I setup my mail domain and using Cloudflare, I setup A records for webmail (webmail.krithiv.my.id) and mail (mail.krithiv.my.id) pointing towards my server with dns only configuration but it also throw me an error. ( I know it’s not necessary I did it anyway ) I pointed my main domain (Krithiv.my.id) towards the server and added as a website and tried anyway but still it failed.

Further investigating, using command

curl -ikL http://mail.krithiv.my.id/.well-known/acme-challenge/test

It showed,

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 27 Aug 2024 16:12:36 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 48
Connection: keep-alive

test.Q6_-_gHikQQvtBdt-lET7LRVn1wGV1Lc5WbdX6QgUZQrootroot@hosts:~

Checking using nslookup,

Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: mail.krithiv.my.id
Address: 45.146.252.23

IMG_05991170×769 61.5 KB

You guys can help me solve this issue…
As I mentioned I’m new to hCP and Linux I might need detailed solution

I don’t know how to fix it but I tried to reach your site from 3 different locations and in all of them, the first time I tried I received this error:

$ curl -ikL webmail.krithiv.my.id/.well-known/acme-challenge/test
curl: (56) Recv failure: Connection reset by peer

Next tries work fine:

$ curl -ikL webmail.krithiv.my.id/.well-known/acme-challenge/test
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 27 Aug 2024 17:00:13 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 48
Connection: keep-alive

test.Q6_-_gHikQQvtBdt-lET7LRVn1wGV1Lc5WbdX6QgUZQ

But after a few minutes, if I try it, I receive the first error again.

If that is happening when Let’s Encrypt tries to validate your domain, you won’t be able to get a certificate Do you have any proxy, firewall, etc. that could cause this issue on first connections?

I don’t think I have any proxy causing this issue because it was freshly installed Ubuntu 22.04 Server and I follow the default installation instructions,

Getting Started | Hestia Control Panel
Regular Installation

I would like include ufw (not-enable) and postfix was already installed but this installation method removed it and reinstalled.

Apart from that, the installation went smoothly.

As far as I can see, there is something in your server or in front of your server doing port spoofing so I would talk to you hosting provider and let them know what is the problem you are facing.

Just in case it is useful to talk to your hosting provider., it rejects “always” the first connection to any port and then accepts the second one.

Example using port 25 (as I said, it happens with all ports, from 1 to 65535):

$ telnet 45.146.252.23 25
Trying 45.146.252.23...
Connected to 45.146.252.23.
Escape character is '^]'.
Connection closed by foreign host. <-- Connection is closed automatically

$ telnet 45.146.252.23 25
Trying 45.146.252.23...
Connected to 45.146.252.23.
Escape character is '^]'.
220 mail.starverse.in   <-- Connection works on second attempt
quit
221 mail.starverse.in closing connection
Connection closed by foreign host.

both not supported by hestia.

I don’t know this, but those two pieces of program was remove at the starting of installation.

As you said, I have contacted the server hosting provider, let’s hope they might have solution

I will update you as soon I get response

Hi guys. I got responses from the hosting provider and they made few changes and it works!

I was able to fetch ssl for both hostname and mail domains as well!

Thanks for your interest in helping me! You guys are best!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.