Unable to get SSL for Hestia CP

himi · December 13, 2022, 11:01am

Hi, I registered a new domain, installed Ubuntu 22.04 on a new server, created DNS records and installed the latest version of Hestia CP. All works fine except for https because I am unable to get SSL certificate. I can access HTTP hcp.mydomain.xx fine. Did exactly same process in past on other server and it worked flawlessly.

I tried in Hestia CP under admin account

but it fails:

I tried to reload nginx, also nginx -t shows no problem.

I did search here and on Let’s Encrypt forums but did not find anything that would work for me.

The domain is registered with a local registrar and these are my DNS records:

Let’s debug website returned no errors.

This is when checking acme URL:

{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "XXX.XXX.XXX.XXX: Invalid response from http://hcp.mydomain.xx/.well-known/acme-challenge/qKaOjlW_EXLX4rbMvP9vlVIH0mbAODdV2Hxx-1iKNTs: 404",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/186655185057/xxxxxxx",
  "token": "qKaOjlW_EXLX4rbMvP9vlVIH0mbAODdV2Hxx-1iKNTs",
  "validationRecord": [
    {
      "url": "http://hcp.mydomain.xx/.well-known/acme-challenge/qKaOjlW_EXLX4rbMvP9vlVIH0mbAODdV2Hxx-1iKNTs",
      "hostname": "hcp.mydomain.xx",
      "port": "80",
      "addressesResolved": [
        "XXX.XXX.XXX.XXX"
      ],
      "addressUsed": "XXX.XXX.XXX.XXX"
    }
  ],
  "validated": "2022-12-13T09:58:47Z"
}

Also tried to run v-change-sys-hostname and v-add-letsencrypt-host, no luck either.

I really have no idea what could be wrong. Can you advise, please?

Now I created a new web domain (test.mydomain.xx) under my user (not admin) and everything worked, the certificate was issued without a problem. Why is it not possible under admin?

eris · December 13, 2022, 1:55pm

What do you see when you enter:

http://hcp.mydomain.xx/.well-known/acme-challenge/qKaOjlW_EXLX4rbMvP9vlVIH0mbAODdV2Hxx-1iKNTs
in the browser?

himi · December 13, 2022, 1:57pm

this:

plus there is no such folder: .well-known

root@hcp:/home/admin/web/hcp.mydomain.xx/public_html# ls -al
total 16
drwxr-x--x 2 admin www-data 4096 Dec 12 21:08 .
dr-xr-x--x 8 admin admin    4096 Dec 12 21:08 ..
-rw-r--r-- 1 admin admin    2897 Dec 12 21:08 index.html
-rw-r--r-- 1 admin admin      66 Dec 12 21:08 robots.txt

eris · December 13, 2022, 2:08pm

We use an custom nginx config found in /home/user/conf/web/domain/nginx.conf_letsencrypt

I assume you use the default template?

himi · December 13, 2022, 2:16pm

Yes, I use default template. Did not change anything there.

root@hcp:/home/admin/conf/web/hcp.mydomain.xx# cat nginx.conf_letsencrypt
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
    default_type text/plain;
    return 200 "$1.O_oHI5R6CqBgh8knTth7B1NQfki29Anko86buMMsxCc";
}

eris · December 13, 2022, 3:38pm

That should be fine

himi · December 13, 2022, 4:46pm

Good to know. So where else should I look for the cause of this problem?

himi · December 20, 2022, 2:14pm

Still having the problem. I deleted the domain created under admin account and created it again under my user (not admin) and SSL certificate was issued no problem.
However when I open the page again (after server restart and browser restart) it still shows the original invalid certificate. Why is not the new certificate used? The old, invalid, certificate was issued Dec 12 and the new one today, ie Dec 20.

eris · December 20, 2022, 2:53pm

Run

v-add-letsencrypt-host as root

himi · December 20, 2022, 4:44pm

It worked!
Thank you!