Let's Encrypt cron error

Everynight since January 4th, I get this error email:

[email protected]
cron [email protected] sudo /usr/local/hestia/bin/v-update-letsencrypt-ssl
Error: Let’s Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending

I have already checked:

I have run the command /usr/local/hestia/bin/v-update-letsencrypt-ssl

  • It tries to get let’s encrypt certificates for 137 domains.
  • Some of them fail but I don’t know which of them
  • the exit status if the command is 0
    /usr/local/hestia/bin/v-update-letsencrypt-ssl

Questions:

  • Where does the script store the log?
  • How can I get to know which domain is failing otherwise?
  • I am concerned about the certificate for the machine’s name itself. How can I make sure it is not failing to renew?

Feature request:

  • Configure error to show which domains / subdomains are failing and why.

/var/log/hestia/

And there is an file created
user-domain-date.log

Thank you very much @eris for your time.

/usr/local/hestia/bin/v-add-letsencrypt-domain admin c02.mydomain.com

Fails: Exit code 15

AND
[email protected]:/usr/local/hestia/bin# ./v-list-dns-domains admin
DOMAIN IP TPL TTL REC SPND DATE


I get an empty response. No domains under admin ???

Disabling completely SSL Support for the website in subdomain:
c02.mydomain.com and enabling it back again renewed the certificate.

To test if it is solved I manually executed the command
/usr/local/hestia/bin/v-add-letsencrypt-domain admin c02.mydomain.com
The certificate was renewed again. Problem solved.

Disableing SSL and renewing is no real option. For one domain it is maybe fine but 100 takes way to long…

In case it helps you debug the problem.

The problem is on a MAIL + DNS server and only the name of the machine fails for now.

I kept the output of bash -x /usr/local/hestia/bin/v-add-letsencrypt-domain admin c02.mydomain.com

+ echo -e '\n==[Step 5]==\n- status: 400\n- nonce: 0104hu_OuKU0fL9d-JgyVh4pUPZWrSVr5wYto0aAC02XQ3Y\n- validation: \n- details: Unable to update challenge :: authorization must be pending\n- answer: HTTP/2 400
server: nginx
date: Fri, 08 Jan 2021 10:50:31 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 101121629
cache-control: public, max-age=0, no-cache
link: [<https://acme-v02.api.letsencrypt.org/directory>](https://acme-v02.api.letsencrypt.org/directory);rel="index"
replay-nonce: 0104hu_OuKU0fL9d-JgyVh4pUPZWrSVr5wYto0aAC02XQ3Y

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Unable to update challenge :: authorization must be pending",
"status": 400
}\n'
+ [[ 400 -ne 200 ]]
+ '[' '!' -z bind9 ']'
++ **/** **usr/local/hestia/bin/v-list-dns-domains admin**
++ grep **c02.mydomain.com**
++ cut '-d ' -f1
+ **dns_domain=**
++ **/usr/local/hestia/bin/v-list-dns-records admin c02.mydomain.com**
++ grep -i letsencrypt
++ cut '-d ' -f1
+ caa_record=
+ '[' '' = c02.mydomain.com ']'
+ debug_log 'Abort Step 5' '=> Wrong status'
+ echo -e '\n==[Abort Step 5]==\n=> Wrong status\n'
+ check_result 15 'Let'\''s Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending'
+ '[' 15 -ne 0 ']'
+ echo 'Error: Let'\''s Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending'
Error: Let's Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending
+ '[' '!' -z '' ']'
+ log_event 15 ' '\''admin'\'' '\''c02.mydomain.com'\'''
+ '[' -z '' ']'
++ date '+%F %T'
++ basename /usr/local/hestia/bin/v-add-letsencrypt-domain
+ LOG_TIME='2021-01-08 11:50:32 v-add-letsencrypt-domain'
+ '[' 15 -eq 0 ']'
+ echo '2021-01-08 11:50:32 v-add-letsencrypt-domain '\''admin'\'' '\''c02.mydomain.com'\'' [Error 15]'
+ exit 15

I think it can’t work because it is looking for DNS zones for the admin user.

The admin user doesn’t have any DNS zones. Only the ownership of the website of the subdomain with the name of the machine: c02.mydomain.com

My errors have been to do with the panel> domain> force ssl setting and when I uncheck this the domains then renew SSL cert/.s

The script mentioned here is very useful for finding affected error domains.