Let's Encrypt Error 403 on Subdomain

Community Support Web
1

Trying to add a Let’s Encrypt SSL to media.chrisamoody.com the webui returns:

Error: Let's Encrypt finalize bad status 403 (media.chrisamoody.com)

the LE logs returns:


=============================
Date Time: 2024-09-10 23:26:01
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: chris
domain: media.chrisamoody.com


- aliases: www.media.chrisamoody.com
- proto: http-01
- wildcard:


==[Step 1]==
- status: 200
- nonce: 4OmWUlyUPddknnoo3_Y1qEegGEmKWW0UYtwouOlxs1bomxxh4f0
- answer: HTTP/2 200
server: nginx
date: Wed, 11 Sep 2024 04:26:09 GMT
content-type: application/json
content-length: 746
cache-control: public, max-age=0, no-cache
replay-nonce: 4OmWUlyUPddknnoo3_Y1qEegGEmKWW0UYtwouOlxs1bomxxh4f0
x-frame-options: DENY
strict-transport-security: max-age=604800



==[API call]==
exit status: 0


==[Step 2]==
- status: 201
- nonce: UAMvsxnw5PHiHXHO01b0C49faj5G7pDQL8LnEMWA6bcJz6vkXLM
- authz: https://acme-v02.api.letsencrypt.org/acme/authz-v3/402113643586
https://acme-v02.api.letsencrypt.org/acme/authz-v3/402113643596
- finalize: https://acme-v02.api.letsencrypt.org/acme/finalize/99919838/304138858306
- payload: {"identifiers":[{"type":"dns","value":"media.chrisamoody.com"},{"type":"dns","value":"www.media.chrisamoody.com"}]}
- answer: HTTP/2 201
server: nginx
date: Wed, 11 Sep 2024 04:26:09 GMT
content-type: application/json
content-length: 493
boulder-requester: 99919838
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/99919838/304138858306
replay-nonce: UAMvsxnw5PHiHXHO01b0C49faj5G7pDQL8LnEMWA6bcJz6vkXLM
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "status": "pending",
  "expires": "2024-09-18T04:26:09Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "media.chrisamoody.com"
    },
    { 
      "type": "dns",
      "value": "www.media.chrisamoody.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/402113643586",
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/402113643596"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/99919838/304138858306"
}
 order: https://acme-v02.api.letsencrypt.org/acme/order/99919838/304138858306


==[API call]==
exit status: 0


==[Step 3]==
- status: 200
- nonce: 4OmWUlyU7deMpQHHEyxeEO6N8IFsZP2cK6nJ23A2tAT5XLOsuEA
- url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643586/VDpOUA
- token: hhMk9dloYGXVnTKUlmisj84Xj5bCDeJ-v53_FVz3nyU
- answer: HTTP/2 200
server: nginx
date: Wed, 11 Sep 2024 04:26:09 GMT
content-type: application/json
content-length: 805
boulder-requester: 99919838
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 4OmWUlyU7deMpQHHEyxeEO6N8IFsZP2cK6nJ23A2tAT5XLOsuEA
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "media.chrisamoody.com"
  },
  "status": "pending",
  "expires": "2024-09-18T04:26:09Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643586/VDpOUA",
      "status": "pending",
      "token": "hhMk9dloYGXVnTKUlmisj84Xj5bCDeJ-v53_FVz3nyU"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643586/KPWQ5Q",
      "status": "pending",
      "token": "hhMk9dloYGXVnTKUlmisj84Xj5bCDeJ-v53_FVz3nyU"
    },
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643586/4wuYxw",
      "status": "pending",
      "token": "hhMk9dloYGXVnTKUlmisj84Xj5bCDeJ-v53_FVz3nyU"
    }
  ]
}


==[API call]==
exit status: 0


==[Step 5]==
- status: 200
- url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643586/VDpOUA
- nonce: 4OmWUlyUYHz-M8ww3wC6QQyNdz4arP1z4o-T_FEp8KLBd4LeFuY
- validation: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643586/VDpOUA
- details:
- answer: HTTP/2 200
server: nginx
date: Wed, 11 Sep 2024 04:26:22 GMT
content-type: application/json
content-length: 187
boulder-requester: 99919838
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
link: <https://acme-v02.api.letsencrypt.org/acme/authz-v3/402113643586>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643586/VDpOUA
replay-nonce: 4OmWUlyUYHz-M8ww3wC6QQyNdz4arP1z4o-T_FEp8KLBd4LeFuY
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "type": "http-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643586/VDpOUA",
  "status": "pending",
  "token": "hhMk9dloYGXVnTKUlmisj84Xj5bCDeJ-v53_FVz3nyU"
}


==[API call]==
exit status: 0


==[Step 3]==
- status: 200
- nonce: 4OmWUlyUsyEXx-d6PowXnRg0i3-Jbk7pYEA0nfxxibcDH7ZlHDc
- url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643596/CwRxFg
- token: zwLKdcyQv1x11aEMimFHjQpQLwUTYPbTMx7c2EFGXqY
- answer: HTTP/2 200
server: nginx
date: Wed, 11 Sep 2024 04:26:26 GMT
content-type: application/json
content-length: 809
boulder-requester: 99919838
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 4OmWUlyUsyEXx-d6PowXnRg0i3-Jbk7pYEA0nfxxibcDH7ZlHDc
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.media.chrisamoody.com"
  },
  "status": "pending",
  "expires": "2024-09-18T04:26:09Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643596/AI2k8g",
      "status": "pending",
      "token": "zwLKdcyQv1x11aEMimFHjQpQLwUTYPbTMx7c2EFGXqY"
   },
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643596/Ue_l1g",
      "status": "pending",
      "token": "zwLKdcyQv1x11aEMimFHjQpQLwUTYPbTMx7c2EFGXqY"
    },
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643596/CwRxFg",
      "status": "pending",
      "token": "zwLKdcyQv1x11aEMimFHjQpQLwUTYPbTMx7c2EFGXqY"
    }
  ]
}


==[API call]==
exit status: 0


==[Step 5]==
- status: 200
- url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643596/CwRxFg
- nonce: fCBw7MtQs5oCPKGczzrNuenedXFXWsg5vYRI0fYc8vfhVxh5mKU
- validation: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643596/CwRxFg
- details:
- answer: HTTP/2 200
server: nginx
date: Wed, 11 Sep 2024 04:26:32 GMT
content-type: application/json
content-length: 187
boulder-requester: 99919838
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
link: <https://acme-v02.api.letsencrypt.org/acme/authz-v3/402113643596>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643596/CwRxFg
replay-nonce: fCBw7MtQs5oCPKGczzrNuenedXFXWsg5vYRI0fYc8vfhVxh5mKU
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "type": "http-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/402113643596/CwRxFg",
  "status": "pending",
  "token": "zwLKdcyQv1x11aEMimFHjQpQLwUTYPbTMx7c2EFGXqY"
}


==[API call]==
exit status: 0


==[Step 6]==
- status: 403
- nonce: 4OmWUlyUGIUNIUmjcWB1Vy887eqnXTnncS5czz-YSBvhEdKV6To
- payload: {"csr":"MIIFNzCCAx8CAQAwgaMxKTAnBgkqhkiG9w0BCQEWGmluZm9AbWVkaWEuY2hyaXNhbW9vZHkuY29tMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0GA1UECgwGSGVzdGlhMQswCQYDVQQLDAJJVDEeMBwGA1UEAwwVbWVkaWEuY2h>
- certificate:
- answer: HTTP/2 403
server: nginx
date: Wed, 11 Sep 2024 04:26:45 GMT
content-type: application/problem+json
content-length: 152
boulder-requester: 99919838
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 4OmWUlyUGIUNIUmjcWB1Vy887eqnXTnncS5czz-YSBvhEdKV6To

{
  "type": "urn:ietf:params:acme:error:orderNotReady",
  "detail": "Order's status (\"pending\") is not acceptable for finalization",
  "status": 403
}
1 Like
2

The problem is that you added the web domain media.chrisamoody.com and Hestia automatically added also the alias www.media.chrisamoody.com.

media.chrisamoody.com has an A record but www.media.chrisamoody.com doesn’t. Add an ip to www subdomain, or remove the alias www on Hestia.

3

Also, none of the authorized name servers can answer DNS requests for your domain:

$ dig media.chrisamoody.com ns +noall +ans
media.chrisamoody.com.  13859   IN      NS      ns2.chrisamoody.com.
media.chrisamoody.com.  13859   IN      NS      ns1.chrisamoody.com.

$ dig @ns1.chrisamoody.com media.chrisamoody.com +nocmd
;; communications error to 104.171.126.178#53: timed out
;; communications error to 104.171.126.178#53: timed out
;; communications error to 104.171.126.178#53: timed out

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @ns1.chrisamoody.com media.chrisamoody.com +nocmd
; (1 server found)
;; global options: +cmd
;; no servers could be reached

$ dig @ns2.chrisamoody.com media.chrisamoody.com +nocmd
;; communications error to 172.81.117.37#53: timed out
;; communications error to 172.81.117.37#53: timed out
;; communications error to 172.81.117.37#53: timed out

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @ns2.chrisamoody.com media.chrisamoody.com +nocmd
; (1 server found)
;; global options: +cmd
;; no servers could be reached
4

I had also renamed the index.html to index.old, renaming it back seemed to help also. It now has an SSL.

5

As a side question, is there a way to tell the server its default nameservers?

I use the same nameservers for everything on this Hestia server.

6

Yes, add those name servers to the package that you will use for your users.

imagen
imagen1279×726 34.2 KB

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.