Unable to create letsencrypt certificate: finalize bad status 403

pocholo · January 10, 2025, 9:33am

Hello,

I am trying to create a certificate for the domain autocasionalbacete.com, which has www.autocasionalbacete.com as an alias.

When I try to generate it, I get the following error:
Error: Let’s Encrypt finalize bad status 403 (autocasionalbacete.com)

I accessed the LE-xxxxxxxxxxxxxxx-autocasionalbacete.com.log log inside the /var/log/hestia/ folder, and this is the result of the last request:

=============================
Date Time: 2025-01-10 10:23:02
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: xxxxxxxxxxxxxxx
domain: autocasionalbacete.com


- aliases: www.autocasionalbacete.com
- proto: http-01
- wildcard: 


==[Step 1]==
- status: 200
- nonce: 2NJzUBzXbC8oq48E5VnKMf98289ZbWOJVVRAFycyQL0PVYyyYmo
- answer: HTTP/2 200 
server: nginx
date: Fri, 10 Jan 2025 09:23:04 GMT
content-type: application/json
content-length: 746
cache-control: public, max-age=0, no-cache
replay-nonce: 2NJzUBzXbC8oq48E5VnKMf98289ZbWOJVVRAFycyQL0PVYyyYmo
x-frame-options: DENY
strict-transport-security: max-age=604800



==[API call]==
exit status: 0


==[Step 2]==
- status: 201
- nonce: 5VsalEMJthpqDdAg40V6E4BqG9KVzGS3XpG3Gec-wYR0zpJn4fI
- authz: https://acme-v02.api.letsencrypt.org/acme/authz/2160910955/458485664375
https://acme-v02.api.letsencrypt.org/acme/authz/2160910955/458485664385
- finalize: https://acme-v02.api.letsencrypt.org/acme/finalize/2160910955/342848785395
- payload: {"identifiers":[{"type":"dns","value":"autocasionalbacete.com"},{"type":"dns","value":"www.autocasionalbacete.com"}]}
- answer: HTTP/2 201 
server: nginx
date: Fri, 10 Jan 2025 09:23:04 GMT
content-type: application/json
content-length: 513
boulder-requester: 2160910955
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/2160910955/342848785395
replay-nonce: 5VsalEMJthpqDdAg40V6E4BqG9KVzGS3XpG3Gec-wYR0zpJn4fI
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "status": "pending",
  "expires": "2025-01-17T09:23:04Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "autocasionalbacete.com"
    },
    {
      "type": "dns",
      "value": "www.autocasionalbacete.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/2160910955/458485664375",
    "https://acme-v02.api.letsencrypt.org/acme/authz/2160910955/458485664385"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/2160910955/342848785395"
}
 order: https://acme-v02.api.letsencrypt.org/acme/order/2160910955/342848785395


==[API call]==
exit status: 0


==[Step 3]==
- status: 200
- nonce: 2NJzUBzXXjBpq9xoU43NAsohIaWW2pmHK6gc4lLV4cH0BxwGDLo
- url: https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664375/o_r8rA
- token: 9jW9r1iY-oh5H2kCfl26J-GCvdFbRPCRHtIoAY6FsvY
- answer: HTTP/2 200 
server: nginx
date: Fri, 10 Jan 2025 09:23:05 GMT
content-type: application/json
content-length: 830
boulder-requester: 2160910955
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 2NJzUBzXXjBpq9xoU43NAsohIaWW2pmHK6gc4lLV4cH0BxwGDLo
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "autocasionalbacete.com"
  },
  "status": "pending",
  "expires": "2025-01-17T09:23:04Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664375/T0g3FQ",
      "status": "pending",
      "token": "9jW9r1iY-oh5H2kCfl26J-GCvdFbRPCRHtIoAY6FsvY"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664375/Mi2fbQ",
      "status": "pending",
      "token": "9jW9r1iY-oh5H2kCfl26J-GCvdFbRPCRHtIoAY6FsvY"
    },
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664375/o_r8rA",
      "status": "pending",
      "token": "9jW9r1iY-oh5H2kCfl26J-GCvdFbRPCRHtIoAY6FsvY"
    }
  ]
}


==[API call]==
exit status: 0


==[Step 5]==
- status: 200
- url: https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664375/o_r8rA
- nonce: yoRvt02QE5SqrpQMoVmD3fXQL1BinSy1oUJXWGz0WDu1TnP20FA
- validation: https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664375/o_r8rA
- details: 
- answer: HTTP/2 200 
server: nginx
date: Fri, 10 Jan 2025 09:23:11 GMT
content-type: application/json
content-length: 195
boulder-requester: 2160910955
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
link: <https://acme-v02.api.letsencrypt.org/acme/authz/2160910955/458485664375>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664375/o_r8rA
replay-nonce: yoRvt02QE5SqrpQMoVmD3fXQL1BinSy1oUJXWGz0WDu1TnP20FA
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "type": "http-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664375/o_r8rA",
  "status": "pending",
  "token": "9jW9r1iY-oh5H2kCfl26J-GCvdFbRPCRHtIoAY6FsvY"
}


==[API call]==
exit status: 0


==[Step 3]==
- status: 200
- nonce: yoRvt02Q3kuYOt3UDkJoLiPH8-2xIcwbL4UFUFhGzUjZsy1_hBg
- url: https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664385/39i-FQ
- token: -h5F_QHSAiNRnHTmk2DQevM3aBRlDNUvythasVB0JSM
- answer: HTTP/2 200 
server: nginx
date: Fri, 10 Jan 2025 09:23:16 GMT
content-type: application/json
content-length: 834
boulder-requester: 2160910955
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: yoRvt02Q3kuYOt3UDkJoLiPH8-2xIcwbL4UFUFhGzUjZsy1_hBg
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.autocasionalbacete.com"
  },
  "status": "pending",
  "expires": "2025-01-17T09:23:04Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664385/OsUThw",
      "status": "pending",
      "token": "-h5F_QHSAiNRnHTmk2DQevM3aBRlDNUvythasVB0JSM"
    },
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664385/39i-FQ",
      "status": "pending",
      "token": "-h5F_QHSAiNRnHTmk2DQevM3aBRlDNUvythasVB0JSM"
    },
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664385/Lunsjw",
      "status": "pending",
      "token": "-h5F_QHSAiNRnHTmk2DQevM3aBRlDNUvythasVB0JSM"
    }
  ]
}


==[API call]==
exit status: 0


==[Step 5]==
- status: 200
- url: https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664385/39i-FQ
- nonce: yoRvt02Q4K8R-p0GArb8LT9AIfPFvnfcxBGnBf6W9WUIbMbHVS0
- validation: https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664385/39i-FQ
- details: 
- answer: HTTP/2 200 
server: nginx
date: Fri, 10 Jan 2025 09:23:22 GMT
content-type: application/json
content-length: 195
boulder-requester: 2160910955
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
link: <https://acme-v02.api.letsencrypt.org/acme/authz/2160910955/458485664385>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664385/39i-FQ
replay-nonce: yoRvt02Q4K8R-p0GArb8LT9AIfPFvnfcxBGnBf6W9WUIbMbHVS0
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "type": "http-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2160910955/458485664385/39i-FQ",
  "status": "pending",
  "token": "-h5F_QHSAiNRnHTmk2DQevM3aBRlDNUvythasVB0JSM"
}


==[API call]==
exit status: 0


==[Step 6]==
- status: 403
- nonce: 2NJzUBzX4fKFTE_e0uTq8ZLlckUk37HTS7T4o72DyQb1Bw2Ja-0
- payload: {"csr":"MIIFOzCCAyMCAQAwgaUxKjAoBgkqhkiG9w0BCQEWG2luZm9AYXV0b2Nhc2lvbmFsYmFjZXRlLmNvbTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkhlc3RpYTELMAkGA1UECwwCSVQxHzAdBgNVBAMMFmF1dG9jYXNpb25hbGJhY2V0ZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCr83RiqU_GQuyxEe8tmNdDV1LmECngIVwpTSQfJTB5dOCoyuUcdVOV2pmnrt-bpeF4pLVsGVQ4B1hhftnAzKXPxmLxijv0oTvECDvYPvVTgK2OnRYosebLBY3ulfnYfi0XQ9tFg5yxYYU5JB82kxLz4GM4f9KihVg3PC26NY53omqQJQGcXt8HMRQnTJLbKK0aTiR7--ZmEXC0Bm432ayZFd0FQ8KQUaS6uviirmSKzO4VZdmt1oWzfGzR0uS67nl0o1XUJBGIN6Haw4JghLCGaAPSgrT1gFv15ydYWI384TygvQXeDnkDbqgdZgQqOpAEaolm5yqMXEujB9v7N00vIyEAXwYHcYCQaA5XGFkjV5BVMuSN8uo14SwWmAOUG9dxIeD6B8lLo5FCNCaM7eoLvL36nLO3A5pp7B2vDMRtXZwYGSVJ1Ii0RNDHp2HOOmveNxc5-DNV50F7eTPomQPsbe1wKzwr2xtcTUCBuCNp77WnZU-rFjHg4ztcrYrIF2_4Nyjt87KkIZSSZ93rg5YSAaWrf1AIEv7GhbHVNOmMmnL0MhtTwE9lziDsMpSl4ItXDDXqfCDJ8uki-ngDcrm5yaI2VprBUdrhnqwaaY1SAjI4LPsT57udhERiTJYUYVv7kyC64TeRPztQjNSZ4ZNISTzqkuFl3tUfw0Bv_WzBmwIDAQABoFAwTgYJKoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ghZhdXRvY2FzaW9uYWxiYWNldGUuY29tghp3d3cuYXV0b2Nhc2lvbmFsYmFjZXRlLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEAe4GSrnkHN3NUemwEkP47F0Y02YX65K4Kck0s1292-eADz0ZNJTSoPqqqnp-U3tf28gp8bms9xmjtarlOJsXYdnHNoazv2a82mKQYlKBkYNPjf3tnmuejJOc7PZmRCorqoUnzf8jeYxO4m3i1rYQIDSladuU6dxk5RBSfWaZdmo88swACRRDKvCGu9rDhhDc9GEYg8nPHWenn1bJky0buFkH9DjRmpg170n3SHh391FRzlo3BOtGSoO2OEBmEFZdGdwumuq4EbbhTuD4_JKjgq21u3ojJI1WXAjs_6svnPzv-QchJnyce1L_e_M4B_jOqqqTl8q36G5TivqOT37zkDIe7eaoqxA146Fx3UM_sLBSeX0KgLVS6qW57jSu33-M0BrlG-vJ9JM0cwyCGyH1TA4O39Ddkfhne5BL-RTPFe7oM7su7MOXkH69rX1u9n8tzlrsKImRRLf87Uccr7dCRRJxS-4WGBTPTFJLYcyIvT5eU3-7EfylxGK9CCiPzAeTLTY_t4GRHPzjECznL_R6xiCIfrm695nGRhhxrZOydM83aOKFWMnSNzY3r2h7T1YbjVpXX6Dzm-IOMjIo6o3jtVHYLWgwt26cCg-fmasDKxXKyCsiNZE7dctHXguk4d_dJ7XpzgR2Me0WGnPGisvUIPdredNP6mhOy48Xx3SFYKsI"}
- certificate: 
- answer: HTTP/2 403 
server: nginx
date: Fri, 10 Jan 2025 09:23:28 GMT
content-type: application/problem+json
content-length: 152
boulder-requester: 2160910955
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 2NJzUBzX4fKFTE_e0uTq8ZLlckUk37HTS7T4o72DyQb1Bw2Ja-0

{
  "type": "urn:ietf:params:acme:error:orderNotReady",
  "detail": "Order's status (\"invalid\") is not acceptable for finalization",
  "status": 403
}

On the other hand, I ran the test command, and it returns a 404:

curl -ikL http://autocasionalbacete.com/.well-known/acme-challenge/test
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 10 Jan 2025 08:53:05 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
Location: https://autocasionalbacete.com/404-page/

HTTP/2 301
server: nginx
date: Fri, 10 Jan 2025 08:53:05 GMT
content-type: text/html
content-length: 162
location: http://autocasionalbacete.com/404-page/

I have tried deleting the domain and recreating it, even generating the certificate with an empty folder in case it was a content-related issue.

At this point, I’m out of ideas.

Do you have any suggestions?

Thank you very much in advance.

sahsanu · January 10, 2025, 12:25pm

Hi @pocholo

Could you please show the output of these commands?

ls -la /home/*/conf/web/autocasionalbacete.com/
cat /home/*/conf/web/autocasionalbacete.com/nginx.conf
cat /home/*/conf/web/autocasionalbacete.com/nginx.conf_letsencrypt

pocholo · January 13, 2025, 10:43am

Hi sahsanu!

Here is the result of executing the commands.

root@45f33b46-9ce0-4faf-9ae6-932007d34553:~# ls -la /home/*/conf/web/autocasionalbacete.com/
total 52
drwxr-xr-x 3 root root    4096 Jan 13 11:37 .
drwxr-x--x 4 root root    4096 Jan 13 11:37 ..
-rw-r----- 1 root autcson 1773 Jan 13 11:37 apache2.conf
-rw-r----- 1 root autcson 2054 Jan 13 11:37 apache2.ssl.conf
-rw-r----- 1 root autcson 1672 Jan 13 11:37 nginx.conf
-rw-r--r-- 1 root root     159 Jan 13 11:37 nginx.conf_letsencrypt
-rw-r--r-- 1 root root     103 Jan 13 11:37 nginx.conf_redirect
-rw-r----- 1 root autcson   38 Jan 13 11:37 nginx.forcessl.conf
-rw-r----- 1 root autcson   65 Jan 13 11:37 nginx.hsts.conf
-rw-r----- 1 root autcson 2087 Jan 13 11:37 nginx.ssl.conf
lrwxrwxrwx 1 root root      68 Jan 13 11:37 nginx.ssl.conf_letsencrypt -> /home/autcson/conf/web/autocasionalbacete.com/nginx.conf_letsencrypt
lrwxrwxrwx 1 root root      65 Jan 13 11:37 nginx.ssl.conf_redirect -> /home/autcson/conf/web/autocasionalbacete.com/nginx.conf_redirect
drwxr-xr-x 2 root root    4096 Jan 13 11:37 ssl
root@45f33b46-9ce0-4faf-9ae6-932007d34553:~# cat /home/*/conf/web/autocasionalbacete.com/nginx.conf
#=========================================================================#
# Default Web Domain Template                                             #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS   #
# https://hestiacp.com/docs/server-administration/web-templates.html      #
#=========================================================================#

server {
        listen      161.22.42.73:80;
        server_name autocasionalbacete.com www.autocasionalbacete.com;
        error_log   /var/log/apache2/domains/autocasionalbacete.com.error.log error;

        include /home/autcson/conf/web/autocasionalbacete.com/nginx.forcessl.conf*;

        location ~ /\.(?!well-known\/|file) {
                deny all;
                return 404;
        }


        location / {
                proxy_pass http://161.22.42.73:8080;


                location ~* ^.+\.(css|htm|html|js|json|xml|apng|avif|bmp|cur|gif|ico|jfif|jpg|jpeg|pjp|pjpeg|png|svg|tif|tiff|webp|aac|caf|flac|m4a|midi|mp3|ogg|opus|wav|3gp|av1|avi|m4v|mkv|mov|mpg|mpeg|mp4|mp4v|webm|otf|ttf|woff|woff2|doc|docx|odf|odp|ods|odt|pdf|ppt|pptx|rtf|txt|xls|xlsx|7z|bz2|gz|rar|tar|tgz|zip|apk|appx|bin|dmg|exe|img|iso|jar|msi|webmanifest)$ {
                        try_files  $uri @fallback;

                        root       /home/autcson/web/autocasionalbacete.com/public_html;
                        access_log /var/log/apache2/domains/autocasionalbacete.com.log combined;
                        access_log /var/log/apache2/domains/autocasionalbacete.com.bytes bytes;

                        expires    max;
                }
        }

        location @fallback {
                proxy_pass http://161.22.42.73:8080;
        }

        location /error/ {
                alias /home/autcson/web/autocasionalbacete.com/document_errors/;
        }
        include /etc/nginx/conf.d/7g/7g.conf;
        include /home/autcson/conf/web/autocasionalbacete.com/nginx.conf_*;
}
root@45f33b46-9ce0-4faf-9ae6-932007d34553:~# cat /home/*/conf/web/autocasionalbacete.com/nginx.conf_letsencrypt
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
    default_type text/plain;
    return 200 "$1.W1DjX4UFsto1F4xzwy0IhMhR4XDuWWCFEmSE-rZCyUE";
}
root@45f33b46-9ce0-4faf-9ae6-932007d34553:~#

Thanks in advance!

pocholo · January 13, 2025, 10:45am

Now the certificate is issued, but the website shows an error indicating it is not secure.

sahsanu · January 13, 2025, 12:43pm

You have issued 5 certificates for the same domains; autocasionalbacete.com and www.autocasionalbacete.com in the last few days so you have reached the limit, you can’t issue more certificates for that set of domains until 17th January.

You are using an extra conf for 7g, I know it is used as a “firewall” but I don’t know lthw applied rules, what I can say is that your site is ignoring the Let’s Encrypt challenges, I suppose because of that conf.

pocholo · January 13, 2025, 2:02pm

I have applied the “default” proxy template, but the error still appears. Should I wait until the 18th to renew the certificate and will it work correctly then?

sahsanu · January 13, 2025, 3:55pm

If it doesn’t work now, it won’t work later.

I’m wondering how you issued 5 certificates for that domain, also, the certificate should be there.

Execute this command and if you see a valid certificate, backup the ssl dir.

openssl x509 -in /home/autcson/conf/web/autocasionalbacete.com/ssl/autocasionalbacete.com.crt -noout -issuer -subject -dates -ext subjectAltName | sed -E -e 's/^\s*//g' -e 's/^DNS:/SANs: /' -e 's/\s?DNS://g' -e '/X509v3/d'

Your site is doing this; redirects from http to https and then to http and once again to https and http:

❯ curl -IkLsS http://www.autocasionalbacete.com/.well-known/acme-challenge/test | grep -E 'HTTP|[Ll]ocation'
HTTP/1.1 301 Moved Permanently
Location: https://autocasionalbacete.com/.well-known/acme-challenge/test
HTTP/2 301 
location: http://autocasionalbacete.com/.well-known/acme-challenge/test
HTTP/1.1 302 Found
Location: https://autocasionalbacete.com/404-page/
HTTP/2 301 
location: http://autocasionalbacete.com/404-page/
HTTP/1.1 200 OK

That means Let’s Encrypt won’t be able to validate the challenge, so I’m not sure how you issued the certificates. It seems like the default proxy template isn’t working correctly because the challenge should be resolved, but it appears that your site is receiving the requests, returning a 404 error, and handling the redirects instead.

pocholo · January 15, 2025, 7:44pm

You won’t believe it. To fix it, all I did was empty the content of the “Proxy Extensions” field, save it, and right after that, the page started working.

The remaining extensions are jpg, jpeg, gif, png, ico, svg, css, zip, tgz, gz, rar, bz2, exe, pdf, doc, xls, ppt, txt, odt, ods, odp, odf, tar, bmp, rtf, js, mp3, avi, mpeg, flv, html, htm.