Problems with ssl let's encrypt

Community Support
1

I have a vps with ubuntu 20.04 lts and hestiacp 1.5.11. And i have 10 subdomains.
Domain is in one cpanel and i have all 10 dns type A to the server.
The problem is that when i like to configure a ssl with let’s encrypt always said me Error: Let’s Encrypt validation status 400 (citra.nredes.dev). Details: Unable to update challenge :: authorization must be pending…
I disable Alias, and i disable ipv6 in this server, but IT DON’T LIKE TO REGISTER SSL.

Please can you help me?

thanks a lot.

2

I have this log.

Date Time: 2022-03-27 23:01:30
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: neomorbius
domain: citra.nredes.dev

  • aliases:
  • proto: http-01
  • wildcard:

==[Step 1]==

  • status: 200
  • nonce: 0002_6-TPC5DNY6UKOLg8sp14XbO_8QJhVLLZMoXpDXzMIY
  • answer: HTTP/2 200
    server: nginx
    date: Sun, 27 Mar 2022 21:01:31 GMT
    content-type: application/json
    content-length: 658
    cache-control: public, max-age=0, no-cache
    replay-nonce: 0002_6-TPC5DNY6UKOLg8sp14XbO_8QJhVLLZMoXpDXzMIY
    x-frame-options: DENY
    strict-transport-security: max-age=604800

==[API call]==
exit status: 0

==[Step 2]==

{
“status”: “pending”,
“expires”: “2022-04-03T21:01:32Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “citra.nredes.dev”
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz-v3/92091404450
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/469244510/75099432630
}

==[API call]==
exit status: 0

==[Step 3]==

  • status: 200
  • nonce: 01016CmkcbIzI74jaOOjpjmsQ8wkdzhM0zU8s27J0WXw5yw
  • url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/92091404450/rVkh5w
  • token: GV2VCP-p-bnwt18UJy0TabrswmYzYr89M-On-MUu7Zg
  • answer: HTTP/2 200
    server: nginx
    date: Sun, 27 Mar 2022 21:01:33 GMT
    content-type: application/json
    content-length: 797
    boulder-requester: 469244510
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
    replay-nonce: 01016CmkcbIzI74jaOOjpjmsQ8wkdzhM0zU8s27J0WXw5yw
    x-frame-options: DENY
    strict-transport-security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “citra.nredes.dev”
},
“status”: “pending”,
“expires”: “2022-04-03T21:01:32Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/92091404450/rVkh5w”,
“token”: “GV2VCP-p-bnwt18UJy0TabrswmYzYr89M-On-MUu7Zg”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/92091404450/8yafDg”,
“token”: “GV2VCP-p-bnwt18UJy0TabrswmYzYr89M-On-MUu7Zg”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/92091404450/O0sAmg”,
“token”: “GV2VCP-p-bnwt18UJy0TabrswmYzYr89M-On-MUu7Zg”
}
]
}

==[API call]==
exit status: 0

==[Step 5]==

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/92091404450/rVkh5w”,
“token”: “GV2VCP-p-bnwt18UJy0TabrswmYzYr89M-On-MUu7Zg”
}

==[API call]==
exit status: 0

==[Step 5]==

  • status: 400
  • nonce: 0102KOozpmJyuxFhSwlAl6IRwItgLgOy4doujaLBYVrTINQ
  • validation:
  • details: Unable to update challenge :: authorization must be pending
  • answer: HTTP/2 400
    server: nginx
    date: Sun, 27 Mar 2022 21:01:43 GMT
    content-type: application/problem+json
    content-length: 144
    boulder-requester: 469244510
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
    replay-nonce: 0102KOozpmJyuxFhSwlAl6IRwItgLgOy4doujaLBYVrTINQ

{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Unable to update challenge :: authorization must be pending”,
“status”: 400
}

==[Abort Step 5]==
=> Wrong status

3

“detail”: “DNS problem: SERVFAIL looking up A for citra.nredes.dev - the domain’s nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for citra.nredes.dev - the domain’s nameservers may be malfunctioning”,

4

Now i change all dns and i have same problem. you can look capture.
This error:
identifier: {
type: “dns”,
value: “nredes.dev”,
},
status: “invalid”,
expires: “2022-04-04T16:54:04Z”,
challenges: [
{
type: “http-01”,
status: “invalid”,
error: {
type: “urn:ietf:params:acme:error:dns”,
detail: “DNS problem: SERVFAIL looking up CAA for nredes.dev - the domain’s nameservers may be malfunctioning”,
status: 400,
},
url: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/92375619820/eH8LSw”,
token: “_IvJ7iQBnIP3PuqGxokE8jAT8Vc6CXuXWjqT4Q5esZY”,
validationRecord: [
{
url: “http://nredes.dev/.well-known/acme-challenge/_IvJ7iQBnIP3PuqGxokE8jAT8Vc6CXuXWjqT4Q5esZY”,
hostname: “nredes.dev”,
port: “80”,
addressesResolved: [
“45.91.64.196”
],
addressUsed: “45.91.64.196”,
}
],
validated: “2022-03-28T16:54:11Z”,
}
],
}

5

Maybe you need to wait a bit…

7

CleanShot 2022-03-28 at 19.19.46
CleanShot 2022-03-28 at 19.19.461208×666 137 KB

Do you think that problem is that is not propagation in all the world? thanks

8

ok then i have a subdomain, dev.nredes.dev that it has a full dns propagation. but it doesn’t work. with this error:

=============================
Date Time: 2022-03-28 19:22:00
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: neomorbius
domain: dev.nredes.dev

  • aliases:
  • proto: http-01
  • wildcard:

==[Step 1]==

  • status: 200
  • nonce: 0001fQvA34IP3sKgz-Mx7SasDfpWXqMLz7-QROC0aSF-uMY
  • answer: HTTP/2 200
    server: nginx
    date: Mon, 28 Mar 2022 17:22:01 GMT
    content-type: application/json
    content-length: 658
    cache-control: public, max-age=0, no-cache
    replay-nonce: 0001fQvA34IP3sKgz-Mx7SasDfpWXqMLz7-QROC0aSF-uMY
    x-frame-options: DENY
    strict-transport-security: max-age=604800

==[API call]==
exit status: 0

==[Step 2]==

{
“status”: “ready”,
“expires”: “2022-04-04T17:22:02Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “dev.nredes.dev”
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz-v3/91640847940
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/469244510/75338056060
}

==[API call]==
exit status: 0

==[Step 3]==

  • status: 200
  • nonce: 0101zTMJR-9WfM952PhUBFW0I3bFsVbfzfE4-5qZV9FsK5Q
  • url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/91640847940/tddWJw
  • token: KQpIBdgdxyZYpLnpYHewlvSpdNPY2ZIoNCzNgIy6ofE
  • answer: HTTP/2 200
    server: nginx
    date: Mon, 28 Mar 2022 17:22:02 GMT
    content-type: application/json
    content-length: 754
    boulder-requester: 469244510
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
    replay-nonce: 0101zTMJR-9WfM952PhUBFW0I3bFsVbfzfE4-5qZV9FsK5Q
    x-frame-options: DENY
    strict-transport-security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “dev.nredes.dev”
},
“status”: “valid”,
“expires”: “2022-04-25T12:15:55Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “valid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/91640847940/tddWJw”,
“token”: “KQpIBdgdxyZYpLnpYHewlvSpdNPY2ZIoNCzNgIy6ofE”,
“validationRecord”: [
{
“url”: “http://dev.nredes.dev/.well-known/acme-challenge/KQpIBdgdxyZYpLnpYHewlvSpdNPY2ZIoNCzNgIy6ofE”,
“hostname”: “dev.nredes.dev”,
“port”: “80”,
“addressesResolved”: [
“45.91.64.196”
],
“addressUsed”: “45.91.64.196”
}
],
“validated”: “2022-03-26T12:15:52Z”
}
]
}

==[API call]==
exit status: 0

==[Step 6]==

  • status: 403
  • nonce: 00029K22sD5DzPu6M3leNn6Ysk8Q_j5imNhJEDI04mLyLfM
  • payload: {“csr”:"MIIEtjCCAp4CAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkhlc3RpYTELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmRldi5ucmV>
  • certificate:
  • answer: HTTP/2 403
    server: nginx
    date: Mon, 28 Mar 2022 17:22:04 GMT
    content-type: application/problem+json
    content-length: 250
    boulder-requester: 469244510
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
    replay-nonce: 00029K22sD5DzPu6M3leNn6Ysk8Q_j5imNhJEDI04mLyLfM

{
“type”: “urn:ietf:params:acme:error:caa”,
“detail”: "Error finalizing order :: While processing CAA for dev.nredes.dev: DNS problem: SERVFAIL looking up CAA for dev.nredes.dev - the domain’s nameservers may be malfunct>
“status”: 403
}

9

Ok. now NREDES.DEV is ok. And i have a ssl with this domain. In same server i have some subdomains. for example citra.nredes.dev and i have this message.

Date Time: 2022-03-29 15:39:08
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: neomorbius
domain: citra.nredes.dev

  • aliases:
  • proto: http-01
  • wildcard:

==[Step 1]==

  • status: 200
  • nonce: 0002Dv0kgMTED1RFc4bvXWOzo2QCHh0NednS5lRvo4BdUmE
  • answer: HTTP/2 200
    server: nginx
    date: Tue, 29 Mar 2022 13:39:09 GMT
    content-type: application/json
    content-length: 658
    cache-control: public, max-age=0, no-cache
    replay-nonce: 0002Dv0kgMTED1RFc4bvXWOzo2QCHh0NednS5lRvo4BdUmE
    x-frame-options: DENY
    strict-transport-security: max-age=604800

==[API call]==
exit status: 0

==[Step 2]==

{
“status”: “pending”,
“expires”: “2022-04-05T13:39:10Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “citra.nredes.dev”
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz-v3/92670702650
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/469244510/75575114340
}

==[API call]==
exit status: 0

==[Step 3]==

  • status: 200
  • nonce: 0101QTAPv-kwEkHViQUWitMIHJOj158JqNVFiXca-4sW7cw
  • url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/92670702650/iG3GuA
  • token: EJ0ANjMQN_IhutitZCWHj6RPiXsWQUJOYrgrRn0nYi8
  • answer: HTTP/2 200
    server: nginx
    date: Tue, 29 Mar 2022 13:39:10 GMT
    content-type: application/json
    content-length: 797
    boulder-requester: 469244510
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
    replay-nonce: 0101QTAPv-kwEkHViQUWitMIHJOj158JqNVFiXca-4sW7cw
    x-frame-options: DENY
    strict-transport-security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “citra.nredes.dev”
},
“status”: “pending”,
“expires”: “2022-04-05T13:39:10Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/92670702650/iG3GuA”,
“token”: “EJ0ANjMQN_IhutitZCWHj6RPiXsWQUJOYrgrRn0nYi8”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/92670702650/pqnl6A”,
“token”: “EJ0ANjMQN_IhutitZCWHj6RPiXsWQUJOYrgrRn0nYi8”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/92670702650/IxEM0Q”,
“token”: “EJ0ANjMQN_IhutitZCWHj6RPiXsWQUJOYrgrRn0nYi8”
}
]
}

==[API call]==
exit status: 0

==[Step 5]==

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/92670702650/iG3GuA”,
“token”: “EJ0ANjMQN_IhutitZCWHj6RPiXsWQUJOYrgrRn0nYi8”
}

==[API call]==
exit status: 0

==[Step 5]==

  • status: 400
  • nonce: 0001OBwc1tspiZkPjVp_yunQkOV4lIwmvFI6U5ro-Mgwh3Y
  • validation:
  • details: Unable to update challenge :: authorization must be pending
  • answer: HTTP/2 400
    server: nginx
    date: Tue, 29 Mar 2022 13:39:20 GMT
    content-type: application/problem+json
    content-length: 144
    boulder-requester: 469244510
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
    replay-nonce: 0001OBwc1tspiZkPjVp_yunQkOV4lIwmvFI6U5ro-Mgwh3Y

{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Unable to update challenge :: authorization must be pending”,
“status”: 400
}

==[Abort Step 5]==
=> Wrong status

I use hestiacp for create this ssl. Can you help me? thanks a lot.

10 
"detail": "DNS problem: SERVFAIL looking up A for citra.nredes.dev - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for citra.nredes.dev - the domain's nameservers may be malfunctioning",
"status": 400

There is still an issue with the DNS server

11

Contact the owner of:
Name Server: ns1.vpspanel.es

Name Server: ns2.vpspanel.es

12

But i have desactivate the ipv6 and then i don’t need AAAA or i’m wrong?

13

There is something wrong with your DNS setup

14

the provider say that all are right.

15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.