Certificates wont renew, 400 Unable to update

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pacificdatacom.net

I ran this command: v-add-letsencrypt-domain admin pacificdatacom.net

It produced this output: Let's Encrypt validation status 400 (pacificdatacom.net). Details: Unable to update challenge :: authorization must be pending

My web server is (include version): Hestia Control Panel v1.4.17

The operating system my web server runs on is (include version): Debian GNU/Linux 11.1

My hosting provider, if applicable, is: COX Business,

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Hestia Control Panel v1.4.17

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A

For about a months now I am having issues getting my certs to update. I have tried everything I can think of, just not sure what is going on.

1 Like

I worked with Hestia for 8 months and they said its not on there end, that's why I am on this forum now.

When I run lets debug 3 times I get 3 different messages.

I'm confused about the time discrepancy.

The LD error is severe.
You need a working HTTP site before it can be secured (via HTTP authentication).

I can reach your site (and get a 301 redirection - we need to talk about that later):

curl -Ii http://pacificdatacom.net/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 19 Nov 2021 17:49:20 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://pacificdatacom.net/.well-known/acme-challenge/Test_File-1234

But LE and LD both fail to even reach the HTTP site...
So, you must be using some kind of GeoFencing/Location blocking OR IPS OR IP block list that is preventing the challenges to be served.

1 Like

I have a Dell SonicWall TZ400 I have been using a SonicWall for years and never had an issue, but maybe they changed something in a firmware update.

I worked with Hestia for 8 months on this and they said its not there problem, that's why I am on this forum now.

Does it have a log?
Does it have a way of controlling it?

1 Like

Can you tell me more about this? I have redirect to HTTPS on in Hestia and on in WordPress.

It makes little sense to answer the heard challenge requests with a redirection instead of just the answer and be done with it.
More so, if you are security conscient, where HTTPS access should be the most restrictive.
HTTP access should basically redirect everything to HTTPS (except the LE challenges).


So what would you need from me. Yess I need to figure out the 400 Error and why I cant up date the LE SSL's. I have been working on this for a long time.

You said something about an 301 redirect error and I just though that was something I could fix now easily while we are working on the other error. Just trying to multitask and get the most done for my time sitting here.

I don't need anything from you - LOL
I work here as a volunteer; providing free "solutions" to those that need them.

I suggested to you that you can simplify the problem by NOT forwarding ALL the HTTP requests to HTTPS.
How to do that depends on the web server software (and version) and any .htaccess files and also WordPress settings.

1 Like

ok, so on the http to https in Hestia, just let that be handled in WordPress? Done

As far as the certificates not updating I am starting to thinking its something SonicWall did with the firmware update but I have know idea how to figure that one out. I just posted on SonicWALL's forums, I will let you know if I ever figure this out.

I think the same. You could try asking at their support forum.

The key is the Lets Debug response. If it cannot consistently see your server then you won't be able to get certificates from Lets Encrypt. Given you got inconsistent results I would look at settings in SonicWall that relate to "intelligent firewall" or "adaptive firewall" or "smart firewall" - something like that. It feels to me like it is adapting to a pattern in the Lets Encrypt requests and treating them as threats (mostly). Mind you, I am guessing here but that's where I would focus efforts if it was my system failing.


Ok, thanks, I hate intermittent issues.


Yes, they are tricky. Did you have any luck with @rg305 suggestion to look at its log?


Ya, I looked at logs but there are many logs and many options, I don't know what I am doing. If someone knew what log to use, and what report etc, maybe I could get somewhere :slight_smile: