New Installation.. LE errors

Hestia Control Panel
1

Hi all, thanks for your great work!!

I need help with cert generation.

I’m just updating an old installation starting from scratch on a new server and importing the backups (both on 1.7.7)… and I’m having issues with LetsEncrypt. Paradoxically the old one still works fine (switching the port forward back to the oroginal).

I tried with letsDebug.net with no errors:

All OK!
No issues were found with simulacra.gianlustuff.net. If you are having problems with creating an SSL certificate, please visit the Let’s Encrypt Community forums and post a question there.

Then…
I tried the following without success, you’ll see the shell commands intertwined with the proper logs:

[email protected]:/# tail -f /var/log/hestia/LE-* &

[email protected]:/# v-add-letsencrypt-host

==> /var/log/hestia/LE-admin-simulacra.gianlustuff.net.log <==

=============================
Date Time: 2023-05-22 09:47:12
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: admin
domain: simulacra.gianlustuff.net

  • aliases:
  • proto: http-01
  • wildcard:

==[Step 1]==

  • status: 200
  • nonce: 5CA2BwKTYMDpRHv9rEA629J-jb8kobbPV7OFQN4lL9OeR-o
  • answer: HTTP/2 200
    server: nginx
    date: Mon, 22 May 2023 07:47:13 GMT
    content-type: application/json
    content-length: 752
    cache-control: public, max-age=0, no-cache
    replay-nonce: 5CA2BwKTYMDpRHv9rEA629J-jb8kobbPV7OFQN4lL9OeR-o
    x-frame-options: DENY
    strict-transport-security: max-age=604800

==[API call]==
exit status: 0

==[Step 2]==

{
“status”: “pending”,
“expires”: “2023-05-29T07:47:13Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “simulacra.gianlustuff.net
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz-v3/230023732867
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/1120227687/183764984087
}
order: https://acme-v02.api.letsencrypt.org/acme/order/1120227687/183764984087

==[API call]==
exit status: 0

==[Step 3]==

  • status: 200
  • nonce: 5CA2C94wmDsgSVNEPexQM0Xldjmj48CQxwjPzNrlZPwZXfg
  • url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/230023732867/BbTxvA
  • token: 44TAfIOxutebf939hzcoM3ko1M6Zhfmuxe_tFMtlE6I
  • answer: HTTP/2 200
    server: nginx
    date: Mon, 22 May 2023 07:47:14 GMT
    content-type: application/json
    content-length: 809
    boulder-requester: 1120227687
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
    replay-nonce: 5CA2C94wmDsgSVNEPexQM0Xldjmj48CQxwjPzNrlZPwZXfg
    x-frame-options: DENY
    strict-transport-security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “simulacra.gianlustuff.net
},
“status”: “pending”,
“expires”: “2023-05-29T07:47:13Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/230023732867/BbTxvA”,
“token”: “44TAfIOxutebf939hzcoM3ko1M6Zhfmuxe_tFMtlE6I”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/230023732867/aS2yXQ”,
“token”: “44TAfIOxutebf939hzcoM3ko1M6Zhfmuxe_tFMtlE6I”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/230023732867/o_BFHg”,
“token”: “44TAfIOxutebf939hzcoM3ko1M6Zhfmuxe_tFMtlE6I”
}
]
}

==[API call]==
exit status: 0

==[Step 5]==

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/230023732867/BbTxvA”,
“token”: “44TAfIOxutebf939hzcoM3ko1M6Zhfmuxe_tFMtlE6I”
}

==[API call]==
exit status: 0

==[Step 5]==

{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Unable to update challenge :: authorization must be pending”,
“status”: 400
}

==[Debug information Step 5]==
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “87.15.57.21: Invalid response from http://simulacra.gianlustuff.net/.well-known/acme-challenge/44TAfIOxutebf939hzcoM3ko1M6Zhfmuxe_tFMtlE6I: 404”,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/230023732867/BbTxvA”,
“token”: “44TAfIOxutebf939hzcoM3ko1M6Zhfmuxe_tFMtlE6I”,
“validationRecord”: [
{
“url”: “http://simulacra.gianlustuff.net/.well-known/acme-challenge/44TAfIOxutebf939hzcoM3ko1M6Zhfmuxe_tFMtlE6I”,
“hostname”: “simulacra.gianlustuff.net”,
“port”: “80”,
“addressesResolved”: [
“87.15.57.21”
],
“addressUsed”: “87.15.57.21”
}
],
“validated”: “2023-05-22T07:47:19Z”
}

==[Abort Step 5]==
=> Wrong status

Error: Let’s Encrypt validation status 400 (simulacra.gianlustuff.net). Details: 403:“xxx.yyy.kkk.zzz: Invalid response from http://simulacra.gianlustuff.net/.well-known/acme-challenge/44TAfIOxutebf939hzcoM3ko1M6Zhfmuxe_tFMtlE6I: 404”
Error: Let’s Encrypt SSL creation failed

2

there is something wrong with your config → http://simulacra.gianlustuff.net/ should show “we’re working on it” (similar to https://demo.hestiacp.com/). But you get the default ip access website which means that the config isnt loaded properly. Do an nginx -t to check for issues, maybe delete the hostname domain out of admin user then run v-add-letsencrypt-host again, it should automatically add it.

1 Like
3

Here are some details:

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

the command requires the website (and not an alias) to be defined under a user… so I moved it from admin… but I got the same results.

BTW the installation script parametrised fromthe webisite (—password no) got me an installation with no evidence of the admin password ad the end… I add to use v-change-user-password on admin

4

Thanks will look it when I have time looks like a bug…

Do you have multiple ips available on the server…

5

Ok thanks!
it is strange the old version updated works like a charm…

6

Well… it has also a Docker+Portainer onboard… but the IPs are on other interfaces.
But the same was in the old one…

7

…and the old one while working is not producing the logs “/var/log/hestia/LE-user-…”

8

Ok yes the issue is multiple IPs… for example APACHE is not starting cause is getting the docker interface address even if hestiacp on the host:

May 23 18:33:43 simulacra.gianlustuff.net systemd[1]: Starting The Apache HTTP Server…
May 23 18:33:43 simulacra.gianlustuff.net apachectl[1025]: AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using simulacra.gianlustuff.net. Set the ‘ServerName’ directive globally to suppress this message
May 23 18:33:43 simulacra.gianlustuff.net apachectl[1025]: (99)Cannot assign requested address: AH00072: make_sock: could not bind to address 172.17.0.1:8443
May 23 18:33:43 simulacra.gianlustuff.net apachectl[1025]: no listening sockets available, shutting down
May 23 18:33:43 simulacra.gianlustuff.net apachectl[1025]: AH00015: Unable to open logs
May 23 18:33:43 simulacra.gianlustuff.net systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
May 23 18:33:43 simulacra.gianlustuff.net systemd[1]: apache2.service: Failed with result ‘exit-code’.
May 23 18:33:43 simulacra.gianlustuff.net systemd[1]: Failed to start The Apache HTTP Server.