V-update-letsencrypt-ssl - Weird behavior

neven · August 6, 2021, 8:25am

Hi
For some time i experience problems with certificate renewals. Lot of LE 400 errors.
(I think it started around version 1.4.3, but I’m not sure.)

In the logs (after the cron job) it looks like this:

2021-08-06 05:45:45 v-add-letsencrypt-domain ‘user’ ‘domain.tld’ ‘www.domain.tld’ [Error 15]
2021-08-06 05:45:45 v-update-letsencrypt-ssl domain.tld Error: Let’s Encrypt validation status 400 (domain.tld). Details: Unable to update challenge :: authorization must be pending [Error 2]

If i run v-update-letsencrypt-ssl manually, the problem remains, but interestingly, if i restart nginx just before running this command, it applies new certificates without errors.

And another restart of nginx is needed afterwards, because of caching I guess.

Did anyone else experience these issues?

BR,
N

eris · August 6, 2021, 8:27am

Try https://letsdebug.net and see if there is an issue

Raphael · August 6, 2021, 8:33am

Also check: SSL Certificates and Let's Encrypt — Hestia Control Panel documentation

neven · August 6, 2021, 9:00am

@eris @Raphael Thank you!

letsdebug returns “All OK”.

Regarding possible issues from documentation, I’m not using CloudFlare or IPv6, and templates are all default ones, so no cigar.
It’s obvious that nginx is not reloading when it should, but I can’t figure out why.

N.

Raphael · August 6, 2021, 9:22am

Did you’ve enabled force ssl or a other redirect?

neven · August 6, 2021, 9:28am

@Raphael Force ssl: yes, redirects: no.

BTW, where is nginx reload (restart) called from? I’m not finding anything in the scripts.

eris · August 6, 2021, 9:30am

github.com

hestiacp/hestiacp/blob/2304b935db47ea303c8e0caa8931712c4e2764e0/bin/v-add-letsencrypt-domain#L297-L300

    
      
          if [ ! -z "$PROXY_SYSTEM" ]; then
              $BIN/v-restart-proxy
              check_result $? "Proxy restart failed" > /dev/null
          fi

or

github.com

hestiacp/hestiacp/blob/2304b935db47ea303c8e0caa8931712c4e2764e0/bin/v-add-letsencrypt-domain#L345-L348

    
      
          if [ "$WEB_SYSTEM" = 'nginx' ]; then
              $BIN/v-restart-web
              check_result $? "Web restart failed" > /dev/null
          fi

Raphael · August 6, 2021, 9:39am

Maybe try to disable force ssl and try it again.

neven · August 6, 2021, 9:44am

@eris Thanks.
Everything seems totally fine. I hate these hard to detect issues.

I’ll play around with timing and retries in v-add-letsencrypt-domain, and see if I can come up with something. I’ll post findings. (if any)

@eris @Raphael Thank you both!

eris · August 6, 2021, 9:46am

Join the club… Also check /var/log/hestia/LE-xxxx.xxxx.log

neven · August 6, 2021, 9:58am

@erin Didn’t find anything useful there. (Also, LE-* is not always created for some reason.)
One example below.

==[Step 5]==

status: 400
nonce: 0101PI05YGLtAvMMB4C5a3F7aA5mzg4ypfIByVgrt8A5TkQ
validation:
details: Unable to update challenge :: authorization must be pending
answer: HTTP/2 400
server: nginx
date: Sat, 17 Jul 2021 09:57:19 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 128310123
cache-control: public, max-age=0, no-cache
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
replay-nonce: 0101PI05YGLtAvMMB4C5a3F7aA5mzg4ypfIByVgrt8A5TkQ

{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Unable to update challenge :: authorization must be pending”,
“status”: 400
}

eris · August 6, 2021, 10:15am

File get deleted after successfully obtaining a certicate

neven · August 6, 2021, 10:33am

@eris Oh. OK, but isn’t it hard to investigate a previous issue after you manage to obtain the certificate?