Let's Encrypt SSL Certificate Generation Issue

I’m having trouble generating a Let’s Encrypt SSL certificate using hestia. When I check the option “Use Let’s Encrypt to obtain SSL certificate” in the domain settings and click save, the request takes too long and eventually results in an error: Error: Let’s Encrypt finalize bad status 403.The certificate generation has always been very slow for me. I would like to know if it’s possible to skip generating SSL certificates since I’m using Cloudflare for my domain. However, if I don’t activate the SSL option, browsers show an error indicating that the certificate is invalid, even though I have configured Cloudflare with Strict Full SSL.Could someone provide assistance or guidance on how to resolve this issue?

Thank you!

Try this fix:

cd /usr/local/hestia/bin/
mv v-add-letsencrypt-domain v-add-letsencrypt-domain.original
wget https://raw.githubusercontent.com/hestiacp/hestiacp/64210fd8ccee8718a861856e99f9965e40ff3932/bin/v-add-letsencrypt-domain
chmod +x v-add-letsencrypt-domain

And try to issue the certificate again.

Does this fix apply only for CF? I too get 403 very often and it takes a lot of time to issue the cert. I do not use CF btw, but normal root server without any 3rd party connections.

No, the fix is for all.

Unfortunately, the problem persists. I followed your instructions, and it takes 40 to 60 seconds before encountering this error: “Error: Let’s Encrypt validation status 400 (site.com). Details: 403: ‘The key authorization file from the server did not match this challenge.’” This issue also occurs with other domains.

I would need the unedited output of /var/log/hestia/LE-YourUser-YourDomain.log

The file is too long. The procedure from STEP 1 to STEP 5 is successful, and I receive status 200. However, STEP 6 returns this:

==[Step 6]==
- status: 403
- nonce: FVNV6H0MsIXu0Kg_L4gtnQpPd0Kjrwjz_09DdTe0P9L_weJybOY
- payload: {"csr":"MIIFFzCCEv8CAQAwgGMxITAfBgkqhkiG9w0BCQEvEmluZm9AaW52aXRpbHV4LmNvbTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGKmb3JuagExFjAUBgNV>
- certificate:
- answer: HTTP/2 403
server: nginx
date: Mon, 25 Nov 2024 16:40:52 GMT
content-type: application/problem+json
content-length: 152
boulder-requester: 2074560617
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 

{
  "type": "urn:ietf:params:acme:error:orderNotReady",
  "detail": "Order's status (\"invalid\") is not acceptable for finalization",
  "status": 403
}

I need all the output.

You get 403 ‘Very Often’?

Uh, do you try MULTIPLE TIMES?
I have occassional 2-3 times, and it almost ALWAYS works.

Try Once.
THEN WAIT AN HOUR
Test DNS

nslookup yourdomain.com
nslookup yourdomain.com 1.1.1.1
nslookup yourdomain.com 8.8.8.8
nslookup yourdomain.com 9.9.9.9
nslookup yourdomain.com 8.8.4.4
nslookup yourdomain.com ns1.yourvpsprovider.com
nslookup yourdomain.com ns2.yourvpsprovider.com
nslookup yourdomain.com ns3.yourvpsprovider.com
nslookup yourdomain.com ns4.yourvpsprovider.com

Try 2nd
THEN WAIT 2 HOURS

If it fails on the 3rd try. Wait 24 hours.
I think that you’re only allowed 3-4 attempts every day.

And YES, you also need to test with all URL aliases
nslookup subdomain1.yourdomain.com
nslookup www.yourdomain.com

9 times out of 10 that I have 403 errors, it’s because I’m setting my DNS records on the WRONG DNS provider. NO JOKE.

On Facebook / Twitter, etc… I’ve started using the hashtags
#itsalwaysdnsproblems

No mate. What I meant was if I try 2 or 3 times with a gap of 1.5 hours, I get that 403.
This is also for even if I try 2 times with the same or more time gap.

It takes 24-48 hours depending on entries and the TTL set for the records, which can delay the setup. I always check accordingly. I only pointed the same, based on the issue relative to the OP.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.