Let's Encrypt Certificate Installation Issue in HestiaCP

I’m tying to finalize the hestiacp install , but failing to add the SSL certificate

the SSL for the “website” is ok. But the hestiacp is not. I dont know if its absolute necessary to have it. I’m also doing all the operations with the help of claude, deepseek and sometimes chatgpt.

below the error report.

Diagnostic Report: Let’s Encrypt Certificate Installation Issue in HestiaCP

System Context:

• Server: Virtualized Cloud Server

• Hostname: subdomain.mysite.com

• Operating System: Debian 12

• Control Panel: HestiaCP 1.8.12

Identified Problem:

Failure to install Let’s Encrypt certificate using v-add-letsencrypt-host command

sudo /usr/local/hestia/bin/v-add-letsencrypt-host

Error: ERROR: Restart of hestia failed.

Specific Symptoms:

1. Consistent Error: “ERROR: Restart of hestia failed”

2. Nginx Log Warning: “ssl_stapling” ignored, issuer certificate not found

Relevant Configurations:

• Configured Domains:

1. Previous hostname

2. Current hostname

• Administrative User: admin

• DNS Configuration: Validated

Potential Root Causes:

1. SSL Certificate Incompatibility

2. Permissions Issues with SSL Files

3. Incomplete Let’s Encrypt Configuration

4. Nginx Instance Conflict

Technical Details:

• HestiaCP Version: 1.8.12

• SSL Certificate Location: /usr/local/hestia/ssl/

• Nginx Configuration: Custom HestiaCP configuration

Previous Troubleshooting Actions:

• SSL File Permissions Adjustment

• Self-Signed Certificate Regeneration

• DNS Configuration Verification

Recommended Next Steps:

1. Detailed System Log Analysis

2. SSL Configuration Validation

3. Comprehensive HestiaCP Service Diagnostics

4. Potential Clean Reinstallation of SSL Certificates

Diagnostic Notes:

• Service Status: Active and Running

• PHP-FPM and Nginx Processes Operational

• SSL Stapling Configuration Incomplete

Suggested Investigation Points:

• Verify Let’s Encrypt Account and Domain Validation

• Check Network and Firewall Configurations

• Examine Detailed Error Logs

• Validate Domain Ownership and DNS Propagation

Step 1:

systemctl status hestia

Check why it is failing

v-add-letsencrypt-domain admin hostname.com works fine?

“ssl_stapling” ignored, issuer certificate not found?
Is fine because a self signed certificate

systemctl status hestia
● hestia.service - LSB: starts the hestia control panel
Loaded: loaded (/etc/init.d/hestia; generated)
Active: active (running) since Wed 2025-01-29 03:32:11 UTC; 8h ago
Docs: man:systemd-sysv-generator(8)
Process: 21883 ExecStart=/etc/init.d/hestia start (code=exited, status=0/SUCCESS)
Tasks: 3 (limit: 9484)
Memory: 9.4M
CPU: 2.357s
CGroup: /system.slice/hestia.service
├─21888 “nginx: master process /usr/local/hestia/nginx/sbin/hestia-nginx”
├─21889 “nginx: worker process”
└─21891 “php-fpm: master process (/usr/local/hestia/php/etc/php-fpm.conf)”
ozp@labs:~$

sudo /usr/local/hestia/bin/v-add-letsencrypt-domain admin sub.mysite.com

no errors

but sub.mysite.com:8083 still with no SSL

the website has SSL ok

Then run v-add-letsencrypt-host

ozp@labs:~$ sudo /usr/local/hestia/bin/v-add-letsencrypt-host
Error: ERROR: Restart of hestia failed.

or

ozp@labs:~$ sudo /usr/local/hestia/bin/v-add-letsencrypt-host sub . mysit e .com
Error: ERROR: Restart of hestia failed.

same results

ozp@labs:~$ sudo systemctl status hestia
× hestia.service - LSB: starts the hestia control panel
Loaded: loaded (/etc/init.d/hestia; generated)
Active: failed (Result: exit-code) since Wed 2025-01-29 16:01:36 UTC; 17s ago
Duration: 3min 12.153s
Docs: man:systemd-sysv-generator(8)
Process: 93861 ExecStart=/etc/init.d/hestia start (code=exited, status=1/FAILURE)
CPU: 27ms

Jan 29 16:01:36 sub . mysite . com systemd[1]: Starting hestia.service - LSB: starts the hestia control panel…
Jan 29 16:01:36 sub . mysite . com hestia[93861]: Starting hestia-nginx: hestia-nginx
Jan 29 16:01:36 sub . mysite . com hestia[93865]: nginx: [emerg] cannot load certificate “/usr/local/hestia/ssl/full_chain.crt”: BIO_new_file() failed (SSL: error:80000002:system library::N>
Jan 29 16:01:36 sub . mysite . com systemd[1]: hestia.service: Control process exited, code=exited, status=1/FAILURE
Jan 29 16:01:36 sub . mysite . com systemd[1]: hestia.service: Failed with result ‘exit-code’.
Jan 29 16:01:36 sub . mysite . com systemd[1]: Failed to start hestia.service - LSB: starts the hestia control panel.

then:

ozp@labs:~$ sudo rm /usr/local/hestia/ssl/certificate.key
ozp@labs:~$ sudo rm /usr/local/hestia/ssl/certificate.crt
ozp@labs:~$ sudo rm /usr/local/hestia/ssl/full_chain.crt

ozp@labs:/usr/local/hestia/ssl$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048
-keyout /usr/local/hestia/ssl/certificate.key
-out /usr/local/hestia/ssl/certificate.crt
-subj “/CN=sub . mysite . com”
.+…+.+…+…+…+.+…+…+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++…+…+…+…+…+…+…+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++…+…+…+…+…+…+…+…+.+…+…+…+.+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+.+…+…+.+…+…+…+…+…+…+.+…+.+…+.+…+.+…+.+…+…+…+…+…+…+…+…+…+…+…+.+…+…+…+…+…+…+…+…+…+.+…+…+…+…+…+…+…+…+.+…+…+.+…+…+…+…+…+…+…+…+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+.+…+.+…+…+.+…+…+…+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++…+…+…+…

ozp@labs:/usr/local/hestia/ssl$ sudo bash -c ‘cat /usr/local/hestia/ssl/certificate.crt /usr/local/hestia/ssl/certificate.key > /usr/local/hestia/ssl/full_chain.crt’

ozp@labs:/usr/local/hestia/ssl$ ls -l /usr/local/hestia/ssl/
total 16
drwxr-xr-x 2 root root 4096 Jan 29 16:05 certificate
-rw-r–r-- 1 root root 1127 Jan 29 16:09 certificate.crt
-rw------- 1 root root 1704 Jan 29 16:09 certificate.key
-rw-r–r-- 1 root root 2831 Jan 29 16:17 full_chain.crt

ozp@labs:/usr/local/hestia/ssl$ sudo systemctl restart hestia

results: hestia opens, but with no SSL

Have you modified hestias nginx configuration? full_chain.crt should be not there in my opinion.

So yes

Use the correct nginx.conf and it should work fine …

Thanks!

The issue is that I’m using LLM guidance to setup the server.

And I noticed that I need to provide better instructions, otherwise the LLM will make a mess.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.