Ok, so I’ve been troubleshooting this one for a while. I set up a server around three months ago, so this is the first time the SSL certs were renewing. I’ve been getting emails like this from one server
Subject: Cron admin@server sudo /usr/local/hestia/bin/v-update-letsencrypt-ssl
Error: Let’s Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending
The server holds several websites, so I wasn’t sure which one was causing the error. In the end I found out which one by checking the LETSENCRYPT_FAIL_COUNT in
cat /usr/local/hestia/data/users/*/web.conf
That might be useful in itself. (Maybe a good thing to display on the Dashboard somewhere?)
Anyway, having nailed down the domain, I tried a few things. I suspected Cloudflare’s proxy, and the .htaccess file first, but in the end it was rather simple. It seems that if you have the Force SSL checkbox selected on a domain, it stops Letsencrypt from renewing, as the traffic is redirected to SSL before it does the .well-known/acme-challenge/ thing. And LE can’t verify over port 443.
That’s my understanding. Can anyone verify? If so, it would be good if the acme rule happened before the redirect to SSL in nginx config.