V-update-letsencrypt-ssl - Weird behavior

Hi
For some time i experience problems with certificate renewals. Lot of LE 400 errors.
(I think it started around version 1.4.3, but I’m not sure.)

In the logs (after the cron job) it looks like this:

2021-08-06 05:45:45 v-add-letsencrypt-domain ‘user’ ‘domain.tld’ ‘www.domain.tld’ [Error 15]
2021-08-06 05:45:45 v-update-letsencrypt-ssl domain.tld Error: Let’s Encrypt validation status 400 (domain.tld). Details: Unable to update challenge :: authorization must be pending [Error 2]

If i run v-update-letsencrypt-ssl manually, the problem remains, but interestingly, if i restart nginx just before running this command, it applies new certificates without errors.

And another restart of nginx is needed afterwards, because of caching I guess.

Did anyone else experience these issues?

BR,
N

Try https://letsdebug.net and see if there is an issue

Also check: SSL Certificates and Let's Encrypt — Hestia Control Panel documentation

@eris @ScIT Thank you!

letsdebug returns “All OK”.

Regarding possible issues from documentation, I’m not using CloudFlare or IPv6, and templates are all default ones, so no cigar. :slight_smile:
It’s obvious that nginx is not reloading when it should, but I can’t figure out why.

N.

Did you’ve enabled force ssl or a other redirect?

@ScIT Force ssl: yes, redirects: no.

BTW, where is nginx reload (restart) called from? I’m not finding anything in the scripts.

or

Maybe try to disable force ssl and try it again.

@eris Thanks.
Everything seems totally fine. I hate these hard to detect issues.

I’ll play around with timing and retries in v-add-letsencrypt-domain, and see if I can come up with something. I’ll post findings. (if any)

@eris @ScIT Thank you both!

Join the club… Also check /var/log/hestia/LE-xxxx.xxxx.log

@erin Didn’t find anything useful there. (Also, LE-* is not always created for some reason.)
One example below.

==[Step 5]==

  • status: 400
  • nonce: 0101PI05YGLtAvMMB4C5a3F7aA5mzg4ypfIByVgrt8A5TkQ
  • validation:
  • details: Unable to update challenge :: authorization must be pending
  • answer: HTTP/2 400
    server: nginx
    date: Sat, 17 Jul 2021 09:57:19 GMT
    content-type: application/problem+json
    content-length: 144
    boulder-requester: 128310123
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
    replay-nonce: 0101PI05YGLtAvMMB4C5a3F7aA5mzg4ypfIByVgrt8A5TkQ

{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Unable to update challenge :: authorization must be pending”,
“status”: 400
}

File get deleted after successfully obtaining a certicate

@eris Oh. OK, but isn’t it hard to investigate a previous issue after you manage to obtain the certificate? :slight_smile: