Lets encrypt/ssl issue on a subdomain


First of all I am thankful for Hestia. I am running it on Ubuntu18.04 with great success.

I created a new website lets call it sub.domain.com and automatic lets encrypt didnt work.

Site domain com is hosted elsewhere and I pointed A record of sub.domain.com to server managed by hestia. I have several other sites for which SSL works fine and the main difference I can think of is that in those other cases the main site (domain com) is also on this server.

Retrying it from CP I get error code 15.

From CLI
v-add-letsencrypt-domain returns ->

Error: Let’s Encrypt validation status . Details:

Unfortunately the error message is not helpful. Where to start looking?

Remove the www.sub.domain.com alias and try again

Thanks for the effort Eric. Such alias does not exist. Anything else?

How often did you try to get the cert? There are several limitations on the number of (failed) requests you can run in a short time frame.
Maybe the dns change wasn’t fully populated at the time you started trying and now you are out of tries for a while?

I’d recommend checking that the dns resolves properly to your server for that sub domain, if you have multiple IPs on it, make sure the one you assigned and the one you put in the A record match :wink:
Then wait an hour or two before you try again.

It failed the first time and subsequent attempts. The DNS propagated before I tried it. IPs match.

Still same message:
Error: Let’s Encrypt validation status . Details:

And in CP : Error code 15

Error Code 15 means connection failed, are you sure that the server, in special with dns, is working properly? -> https://docs.hestiacp.com/admin_docs/rest_api.html#return-codes

seems weird, check for accidentical typos in the domain name as well as the dns entry. or maybe you still have something in the alias field?

probably easiest to remove the web domain (if possible) and add it again.

@ScIT Thanks for input. Here is full information.

The domain is browser.kagi.com

This is hestia landing page:

A record points to which is where it is hosted.

Let me know if there are any other debug commands to provide more context.

Was talking from the other way, can you reach the Let’s Encrypt API Server from your host? https://acme-v02.api.letsencrypt.org

1 Like

Oh, yes

curl -I https://acme-v02.api.letsencrypt.org

HTTP/2 200
server: nginx

date: Mon, 20 Jul 2020 20:35:31 GMT

content-type: text/html

content-length: 2174

last-modified: Mon, 25 Feb 2019 20:15:27 GMT

etag: “5c744cdf-87e”

x-frame-options: DENY

strict-transport-security: max-age=604800

As mentioned in original post I was successful creating SSL for other sites I host here. This is the only one where I host the main site elsewhere and I only created subdomain on this server with the matching A record.

Not sure what this does but tried running it:


Error: Let’s Encrypt new auth status 400

Error: Let’s Encrypt SSL creation failed

Is there a log for v-add-letsencrypt-domain?

It sill output only "Error: Let’s Encrypt validation status . Details: " any maybe the log will tell more?

Would like to launch this site tomorrow so any tips are extremely appreciated!

Just tried to replicate the issue but it worked here without any issue

I used v-add-letsencrypt-domain username sub.domain.com with out any issue.

Still no success. Any new ideas?

maybe your nginx refuses to restart because something is of with one of the configs? if that’s the case the script can’t put in the proper challenges and the validation will fail.
(edit: the script adds the .well-known/acme-challenge together with the valid return code to the domains nginx config and needs to restart nginx for it to become available)

so I suggest you try to restart nginx manually and see if this gives an error. could be even an unrelated config of another domain that’s the blocker here…

other than that: do you use the internal dns service with hestia or an external one?

DNS is externally hosted. Nginx works as expected.

I ended up moving the site to a new server and installing lets encrypt manually. Thanks all for assistance.