Letsencrypt renewal not working with Force SSL, Bug?

pluto · November 5, 2020, 10:06am

Ok, so I’ve been troubleshooting this one for a while. I set up a server around three months ago, so this is the first time the SSL certs were renewing. I’ve been getting emails like this from one server

Subject: Cron admin@server sudo /usr/local/hestia/bin/v-update-letsencrypt-ssl
Error: Let’s Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending

The server holds several websites, so I wasn’t sure which one was causing the error. In the end I found out which one by checking the LETSENCRYPT_FAIL_COUNT in
cat /usr/local/hestia/data/users/*/web.conf
That might be useful in itself. (Maybe a good thing to display on the Dashboard somewhere?)

Anyway, having nailed down the domain, I tried a few things. I suspected Cloudflare’s proxy, and the .htaccess file first, but in the end it was rather simple. It seems that if you have the Force SSL checkbox selected on a domain, it stops Letsencrypt from renewing, as the traffic is redirected to SSL before it does the .well-known/acme-challenge/ thing. And LE can’t verify over port 443.

That’s my understanding. Can anyone verify? If so, it would be good if the acme rule happened before the redirect to SSL in nginx config.

pluto · November 5, 2020, 10:20am

This was a quick and dirty script I used to check all the non-empty Fail Counts, in case its useful to anyone.

#!/bin/bash

for USER in $( v-list-users plain | awk '{print $1}' )
do
	for DOMAIN in $( v-list-web-domains $USER plain | awk '{print $1}' )
	do
		FAIL=$( cat /usr/local/hestia/data/users/*/web.conf  | grep "'$DOMAIN'" | tr " " "\n" | grep LETSENCRYPT_FAIL_COUNT | awk -F "'" '{ print $2 }' )
		if [[ ! -z "$FAIL" ]] ; then
			echo "User: $USER         Domain: $DOMAIN       LEFailCount: $FAIL" 
			openssl x509 -noout -dates -in /home/$USER/conf/web/$DOMAIN/ssl/$DOMAIN.crt
			echo "---"
		fi
	done
done

ivanpos · November 16, 2020, 1:41pm

Very Useful,

Thanks.