Today Admin Panel gives SSL error only if PORT is specified

at33ks · March 7, 2024, 6:42pm

Everything was running smoothly until today.

I tried to login to my admin panel but I received this message in Chrome/Firefox:

This only happens if I add the port number at the end of the url (cphestia.mydomain.com:2086)

If I remove the port number, I get the placeholder static html page I have created. And the SSL is secure

Also all websites I am running on hestia are working, even the ones using a subdomain of mydomain.com (ex: site1.mydomain.com)

I tried to use v-add-letsencrypt-host but it gave me the following error:

Error: WEB_DOMAINS limit is reached :: upgrade user package
Error: web domain hestia.mydomain.com doesn’t exist

I removed hestia.mydomain.com from /etc/hosts > rebooted > tried 1. v-add-letsencrypt-host again and the command was executed.

But I am still facing the same problem. The port number gives the same SSL error.

I tried in incognito mode, it took me to the login page (but the url said insecure). I was able to login successfully.

I logged out of it, and now I can’t even login with Incognito Mode.

The strange thing is I didn’t change anything since my last login 3 days ago.

Any ideas?

sahsanu · March 7, 2024, 11:32pm

Check what is the certificate used by Hestia:

openssl storeutl -noout -text -certs /usr/local/hestia/ssl/certificate.crt | grep -E 'Issuer:|Subject:|Not\s[AB]|DNS:' | sed 's/^\s*//' | column -t -s ':' -l 2 | sed 's/^Issuer/\nIssuer/'

at33ks · March 8, 2024, 6:11am

Issuer       C=US, O=Let's Encrypt, CN=R3
Not Before   Feb 18 04:36:33 2024 GMT
Not After    May 18 04:36:32 2024 GMT
Subject      CN=mydomain.com
DNS         mydomain.com, DNS:www.mydomain.com

Issuer       C=US, O=Internet Security Research Group, CN=ISRG Root X1
Not Before   Sep  4 00:00:00 2020 GMT
Not After    Sep 15 16:00:00 2025 GMT
Subject      C=US, O=Let's Encrypt, CN=R3

sahsanu · March 8, 2024, 8:20am

Ok, and do you use https://mydomain.com:2086 to access to Hestia or do you use another domain name?

at33ks · March 8, 2024, 2:05pm

Thanks for getting back to me.

No. I use
https://cphesta.mydomain.com:2086

The weird thing is that it was working perfectly until yesterday. I didn’t change anything.

sahsanu · March 8, 2024, 10:42pm

Let’s say that you already have the right certificate for cphestia.mydomain.com so you just need to update the certificate used by your host, I will use the user admin in this example but you should use the user name where cphestia.mydomain.com is in your Hestia conf

 v-update-host-certificate admin cphestia.mydomain.com

at33ks · March 9, 2024, 7:27pm

Yup that did it!
Thank you so much for taking the time to help.

Is there any way that I can automate this letsencrypt certificate renewal?

sahsanu · March 9, 2024, 8:06pm

You are welcome.

It should be updated automatically when renewing the certificate.

Check that your user admin has this cron entry:

# crontab -l -u admin | grep ssl
44 2 * * * sudo /usr/local/hestia/bin/v-update-letsencrypt-ssl

Also, you should check that your server hostname is cphestia.mydomain.com, if it isn’t, the host certificatet won’t be updated automatically.

To check your server’s hostname:

hostname -f

at33ks · March 10, 2024, 9:42pm

Thanks again for replying.

hostname -f outputs mydomain.com

however, hostname (by itself) outputs cphestia.mydomain.com

One more thing, does the cronjob you mentioned updates all the expiring soon certificates of all the hestia users and domains (including mail certificates)?

Thanks

sahsanu · March 10, 2024, 10:05pm

That’s weird, show the output of these commands:

cat /etc/hosts
cat /etc/hostname

Yes, that cronjob will update all certificates expiring in less than 31 days, including mail certificates

at33ks · March 10, 2024, 10:18pm

Here it is

myuser@cphestia:~$ cat /etc/hostname
cphestia.mydomain.com
myuser@cphestia:~$ cat /etc/hosts
127.0.0.1 mydomain.com www.mydomain.com cphestia.mydomain.com localhost

sahsanu · March 10, 2024, 10:39pm

Edit /etc/hosts file and modify the line to this:

127.0.0.1 cphestia.mydomain.com cphestia mydomain.com www.mydomain.com localhost

at33ks · March 11, 2024, 9:00pm

Great thank you.

Can you please explain why I need to include the single “cphestia” entry?

sahsanu · March 11, 2024, 9:51pm

When you give a name to a server, you give it as a short name, in this case, hestiacp and a fqdn (fully qualified domain name), in this case cphestia.mydomain.com and sometimes you will try to connect directly to the short name so to be able to resolve it, you should add it to /etc/hosts file.

system · April 10, 2024, 9:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.