Lets encrypt/ssl issue on a subdomain

vprelovac · July 20, 2020, 4:25am

Hi

First of all I am thankful for Hestia. I am running it on Ubuntu18.04 with great success.

I created a new website lets call it sub.domain.com and automatic lets encrypt didnt work.

Site domain com is hosted elsewhere and I pointed A record of sub.domain.com to server managed by hestia. I have several other sites for which SSL works fine and the main difference I can think of is that in those other cases the main site (domain com) is also on this server.

Retrying it from CP I get error code 15.

From CLI
v-add-letsencrypt-domain returns ->

Error: Let’s Encrypt validation status . Details:

Unfortunately the error message is not helpful. Where to start looking?

eris · July 20, 2020, 4:56am

Remove the www.sub.domain.com alias and try again

vprelovac · July 20, 2020, 4:58am

Thanks for the effort Eric. Such alias does not exist. Anything else?

falzo · July 20, 2020, 6:25am

How often did you try to get the cert? There are several limitations on the number of (failed) requests you can run in a short time frame.
Maybe the dns change wasn’t fully populated at the time you started trying and now you are out of tries for a while?

I’d recommend checking that the dns resolves properly to your server for that sub domain, if you have multiple IPs on it, make sure the one you assigned and the one you put in the A record match
Then wait an hour or two before you try again.

vprelovac · July 20, 2020, 5:40pm

It failed the first time and subsequent attempts. The DNS propagated before I tried it. IPs match.

Still same message:
Error: Let’s Encrypt validation status . Details:

And in CP : Error code 15

Raphael · July 20, 2020, 5:54pm

Error Code 15 means connection failed, are you sure that the server, in special with dns, is working properly? -> https://docs.hestiacp.com/admin_docs/rest_api.html#return-codes

falzo · July 20, 2020, 6:11pm

seems weird, check for accidentical typos in the domain name as well as the dns entry. or maybe you still have something in the alias field?

probably easiest to remove the web domain (if possible) and add it again.

vprelovac · July 20, 2020, 6:25pm

@Raphael Thanks for input. Here is full information.

The domain is browser.kagi.com

This is hestia landing page:
http://browser.kagi.com

A record points to 161.35.6.210 which is where it is hosted.

Let me know if there are any other debug commands to provide more context.

Raphael · July 20, 2020, 7:32pm

Was talking from the other way, can you reach the Let’s Encrypt API Server from your host? https://acme-v02.api.letsencrypt.org

vprelovac · July 20, 2020, 8:37pm

Oh, yes

curl -I https://acme-v02.api.letsencrypt.org

HTTP/2 200
server: nginx

date: Mon, 20 Jul 2020 20:35:31 GMT

content-type: text/html

content-length: 2174

last-modified: Mon, 25 Feb 2019 20:15:27 GMT

etag: “5c744cdf-87e”

x-frame-options: DENY

strict-transport-security: max-age=604800

–

As mentioned in original post I was successful creating SSL for other sites I host here. This is the only one where I host the main site elsewhere and I only created subdomain on this server with the matching A record.

Not sure what this does but tried running it:

v-add-letsencrypt-host

Error: Let’s Encrypt new auth status 400

Error: Let’s Encrypt SSL creation failed

Is there a log for v-add-letsencrypt-domain?

It sill output only "Error: Let’s Encrypt validation status . Details: " any maybe the log will tell more?

Would like to launch this site tomorrow so any tips are extremely appreciated!

eris · July 20, 2020, 10:32pm

Just tried to replicate the issue but it worked here without any issue

I used v-add-letsencrypt-domain username sub.domain.com with out any issue.

vprelovac · July 21, 2020, 2:17pm

Still no success. Any new ideas?

falzo · July 21, 2020, 3:07pm

maybe your nginx refuses to restart because something is of with one of the configs? if that’s the case the script can’t put in the proper challenges and the validation will fail.
(edit: the script adds the .well-known/acme-challenge together with the valid return code to the domains nginx config and needs to restart nginx for it to become available)

so I suggest you try to restart nginx manually and see if this gives an error. could be even an unrelated config of another domain that’s the blocker here…

other than that: do you use the internal dns service with hestia or an external one?

vprelovac · July 21, 2020, 4:37pm

DNS is externally hosted. Nginx works as expected.

I ended up moving the site to a new server and installing lets encrypt manually. Thanks all for assistance.