Letsencrypt renewal not working with Force SSL, Bug?

Ok, so I’ve been troubleshooting this one for a while. I set up a server around three months ago, so this is the first time the SSL certs were renewing. I’ve been getting emails like this from one server

Subject: Cron [email protected] sudo /usr/local/hestia/bin/v-update-letsencrypt-ssl
Error: Let’s Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending

The server holds several websites, so I wasn’t sure which one was causing the error. In the end I found out which one by checking the LETSENCRYPT_FAIL_COUNT in
cat /usr/local/hestia/data/users/*/web.conf
That might be useful in itself. (Maybe a good thing to display on the Dashboard somewhere?)

Anyway, having nailed down the domain, I tried a few things. I suspected Cloudflare’s proxy, and the .htaccess file first, but in the end it was rather simple. It seems that if you have the Force SSL checkbox selected on a domain, it stops Letsencrypt from renewing, as the traffic is redirected to SSL before it does the .well-known/acme-challenge/ thing. And LE can’t verify over port 443.

That’s my understanding. Can anyone verify? If so, it would be good if the acme rule happened before the redirect to SSL in nginx config.


This was a quick and dirty script I used to check all the non-empty Fail Counts, in case its useful to anyone.


for USER in $( v-list-users plain | awk '{print $1}' )
	for DOMAIN in $( v-list-web-domains $USER plain | awk '{print $1}' )
		FAIL=$( cat /usr/local/hestia/data/users/*/web.conf  | grep "'$DOMAIN'" | tr " " "\n" | grep LETSENCRYPT_FAIL_COUNT | awk -F "'" '{ print $2 }' )
		if [[ ! -z "$FAIL" ]] ; then
			echo "User: $USER         Domain: $DOMAIN       LEFailCount: $FAIL" 
			openssl x509 -noout -dates -in /home/$USER/conf/web/$DOMAIN/ssl/$DOMAIN.crt
			echo "---"
1 Like

Very Useful,