Let's Encrypt validation status 400 ("status": 403)

Trying to renew an SSL certificate error 400 is showing up.
Checked SSL Certificates and Let's Encrypt — Hestia Control Panel documentation but everything seems fine.
Looking up in your forum found a few requests but haven’t found any answer yet. A very similar request was this one from @jlguerrero: Let's Encrypt validation status 400 unable to update challenge but in my case is not related to an Nginx config error, at least I hope so!

Looking into LE-{user}-{domain}.log, I have this:

“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “49.12.212.xx: Invalid response from http://staging.domain.com/.well-known/acme-challenge/l652JH3M7yNRASrkQNQu6cf6ApTWAq6weFmLjf6w5lY: 401”,
“status”: 403

No Nginx errors (nginx -t shows OK), no external firewalls enabled (Cloudflare or anything else).
I’ve noticed that the .well-known wasn’t there in my site’s webroot so I created it from scratch setting web domain user’s ownership, but still having this error…

What else could I check?

BTW I’m using the latest HestiaCP release: 1.6.7 , my site is password protected with httpauth feature and I use a custom template copied from /usr/local/hestia/data/templates/web/nginx/php-fpm/wordpress.tpl and stpl.

There is probaly your issue, you need to exlude the protection for the le validation link.

Hi @ScIT
Thanks for your feedback!

I found the culprit… damn it…it was the custom template… as soon as I’ve setup the default wordpress template, voilà!! no more validation status 400 errors…

Quite weird as I made a straight copy from the default wordpress template and didn’t add any custom code… (?!)

There probaly needs to be a change somewhere, otherwise you could have used the wordpress one :slight_smile:

http auth feature in doesn’t bypass .well-know currently.

Don’t know if it is worth to fix the issue