HestiaCP panel: Let's encrypt finalize bad status 403

bth · September 20, 2024, 9:18am

Hello,

My domain is: bellerad.io (alias: ma.bellerad.io)

I ran this command:hestiaCP Let' Encrypt checkmark

It produced this output:
{
"type": "urn:ietf:params:acme:error:orderNotReady",
"detail": "Order's status ("invalid") is not acceptable for finalization",
"status": 403
}

My web server is: Ghost v5.94.0 (Node.js v20.17.0 application) behind nginx 1.27.1

The operating system my web server runs on is: Ubuntu 22.04.4 LTS minimal

My hosting provider, if applicable, is: self-hosted (evi.dement.es) on an Oracle Cloud AMD VPS

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: hestiaCP v1.8.12,

The version of my client is: I don't know

I read this previous topic: Error: Let's Encrypt finalize bad status 403, and checked the following points:

crt.sh | bellerad.io => didn't find anything suspicious, but I may be wrong,
https://decoder.link/sslchecker/evi.dement.es/443 => port open,
Let's Debug => OK.

Here is my log file (contains multiple attempts).
LE-belle-bellerad.io.log.txt (43.6 KB)

I don't know what to do next. Any clue ?

webprofusion · September 20, 2024, 9:36am

Your domain is currently replying with a generic landing page:

Make sure the domain is pointing to the real IP address of your web server

bth · September 20, 2024, 9:44am

Fixed it. In HestiaCP, I redirected bellerad.io to point to www.bellerad.io.

However, Let's Encrypt certification failed again.

MikeMcQ · September 20, 2024, 11:15am

These two domain names point to different servers. If www is working correctly then you should probably update the apex domain name IP.

bellerad.io.		10800	IN	A	217.70.184.38
www.bellerad.io.	10800	IN	A	130.61.123.88

bth · September 20, 2024, 12:31pm

Thanks for your leads ! I fixed it, https://mxtoolbox.com/ now reports it properly.

Nevertheless, I suppose I shall wait for this change to propagate.

I'll retry later on.

Rip · September 20, 2024, 12:31pm

I concur with Mike and Christopher's assessment(s):

rip:T430 ~ >>  check_dns.py bellerad.io

A records for bellerad.io: ['217.70.184.38']
AAAA records for bellerad.io: No record found
MX records for bellerad.io: ['10 mxa.eu.mailgun.org.', '10 mxb.eu.mailgun.org.']
NS records for bellerad.io: ['ns-194-b.gandi.net.', 'ns-250-a.gandi.net.', 'ns-161-c.gandi.net.']
CNAME records for bellerad.io: No record found
TXT records for bellerad.io: ['"v=spf1 include:mailgun.org ~all"', '"facebook-domain-verification=hjwa0sna8d8cd5v7fyinzr8r87h3jz"']
SOA records for bellerad.io: ['ns1.gandi.net. hostmaster.gandi.net. 1726704000 10800 3600 604800 10800']

rip:T430 ~ >>  check_dns.py www.bellerad.io
A records for www.bellerad.io: ['130.61.123.88']
AAAA records for www.bellerad.io: No record found
MX records for www.bellerad.io: No record found
NS records for www.bellerad.io: No record found
CNAME records for www.bellerad.io: No record found
TXT records for www.bellerad.io: No record found
SOA records for www.bellerad.io: No record found

bellerad.io and www.bellerad.io are configured on two completely separate networks

MikeMcQ · September 20, 2024, 12:36pm

Let's Encrypt queries your authoritative DNS servers directly. It is not affected by TTL propagation.

You can try again now. And, use https://unboundtest.com to look up IP address similar to how Let's Encrypt does it (it already sees your corrected IP address)

bth · September 20, 2024, 12:51pm

Failed with the same error message

rg305 · September 20, 2024, 12:55pm

Please repost the log file.
I see a third name included in the original post:

    {
      "type": "dns",
      "value": "bellerad.io"
    },
    {
      "type": "dns",
      "value": "ma.bellerad.io"
    },
    {
      "type": "dns",
      "value": "www.bellerad.io"
    }

bth · September 20, 2024, 1:02pm

ma.bellerad.io is an alias I set in HestiaCP for my main domain. In https://unboundtest.com, it leads to the same IP.

Here is the log :
LE-belle-bellerad.io.log.txt (9.8 KB)

MikeMcQ · September 20, 2024, 1:07pm

The key part of that log is the result of the challenge which is:

"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/406086082746/YOAERQ",
"status": "invalid",
"validated": "2024-09-20T12:49:52Z",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "130.61.123.88: Invalid response from http://bellerad.io/.well-known/acme-challenge/dvomvcg6anw04wnmsgfxgsafzwpgcfqp-27ghtfqfwa/: 404",
"status": 403
},

Note the "detail" part which shows the URL that failed. All of the characters are lower-case. That is wrong. Something on your system is redirecting requests but changing everything to lower case.

I can reproduce that failure with simple requests:

# This redirects by adding trailing slash
# Probably also creates problem but still upper case
curl -iL http://bellerad.io/.well-known/acme-challenge/Test404UPPER
HTTP/1.1 301 Moved Permanently
Server: nginx
X-Powered-By: Express
Location: /.well-known/acme-challenge/Test404UPPER/

# Following that link gets redirected again but all lower case now
HTTP/1.1 301 Moved Permanently
Server: nginx
X-Powered-By: Express
Location: /.well-known/acme-challenge/test404upper/

# And finally this.  
HTTP/1.1 404 Not Found
Server: nginx

rg305 · September 20, 2024, 1:08pm

It seems like the first two names are OK.
The last name "bellarad.io" is the one with issues.

I also see:

WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx

Which may be part of the problem; As both systems may need to handle each name.
Perhaps one of them is not handling this name correctly.
[I don't know how to troubleshoot that panel]

rg305 · September 20, 2024, 1:10pm

All three names are showing that same trailing slash issue.
I can only suppose the panel makes some temporary adjustment to handle the ACME request.
[i.e. --nginx or --apache]

That said, why do two work and one fails?

MikeMcQ · September 20, 2024, 1:20pm

That is probably true. In which case they need to check why bellerad.io is handled different in their panel.

The challenge failure message from LE has the URL in all lower case. There is no practical way that can happen once let alone repeatedly.

My tests showing lower case may not reflect what happens in their system for a valid request. But, their system is failing to handle bellerad.io properly. Otherwise we would see a valid URL in the error message from LE.

bth · September 20, 2024, 2:53pm

I raised the issue in HestiaCP forum: Let's encrypt certification: fails due to lowercasing? - Hestia Control Panel - Discourse. If there is any progress, I can update this thread for information sake.

Thanks a lot for all the leads, sorry for my silly mistakes at the beginning !

bth · September 20, 2024, 3:16pm

Solved for the HestiaCP part ! I got me a certificate !

There were three levels of nginx configuration files to deal with : panel > site > NodeJS. In my site nginx.conf file, I was suggested to add (before an existing include):

include /home/YourUser/conf/web/bellerad.io/nginx.conf_*;

Again, thanks a ton !

system · October 20, 2024, 3:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error: Let's Encrypt finalize bad status 403 Error: Let's Encrypt finalize bad status 403 Help	5	493	December 29, 2024
Error: Let's Encrypt finalize bad status 403 Help	45	3026	September 25, 2024
Error: Let’s Encrypt finalize bad status 403 Help	5	119	February 19, 2025
Unable to get certificate: HestiaCP Help	1	1533	January 12, 2023
Server response (403) on Finalize order Help	4	832	August 14, 2024

HestiaCP panel: Let's encrypt finalize bad status 403

Related topics