HestiaCP unable to obtain SSL certificates for mail domains

My domain is: pop

I ran this command: Obtain SSL certificates for mail server using the HestiaCP admin control panel

It produced this output:Error: Let's Encrypt validation status 400 (mail). Details: 403:": Invalid response from http://mail.pop.gr/.well-known/acme-challenge/2TMdEmjkiQGRVMWNoW6K8xzS6bncoo487WH_ob2XrLU: 404"

My web server is (include version): NGinx

The operating system my web server runs on is (include version): Ubuntu Linux

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): HestiaCP

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Welcome to the Let's Encrypt Community! :slightly_smiling_face:

Let me get you unmuted...

Sent a message to staff.

Thank you. I am not sure how appropriate my questions is, as it is related more to HestiaCP but included issues with the ACME files not being created where they are expected to be found by LetsEncrypt

Your mail subdomain name may not be running a webserver, which will make it difficult to pass an HTTP-01 challenge.

With cPanel, the mail subdomain serves the same content as the apex domain name, making it easy to pass HTTP-01, but not Hestia I think.

No, the domain is actually a FQDN, I just omitted it for privacy reasons. The server seems to be running fine but I saw that the challenge files are not even created. Perhaps some permission problem from the user the web server/process is running as

The challenge files might not actually be created. Some ACME clients, like certbot, create temporary exceptions in nginx config files rather than creating actual challenge files. Depends upon what Hestia is doing under the hood.

I understand. Better direct my questions to the Hestia forum, then. I doubted it was anything to do with LetsEnctypt but was hoping some random person here could have seen this issue and known the solution. I've investigated and problem thoroughly looking at log files etc, but no cigar. Thanks anyway!

The main thing is whether Let's Encrypt can be properly served the challenge responses. Right now LE is seeing a 404, which usually indicates incorrect "routing" to the challenge token via the webserver or some frontend.

Sounds like a misconfiguration of HestiaCPs' nginx. I've had some issues with that in other respects

Quite possible. Mail subdomain names can be tricky.

The DNS-01 challenge might be more appropriate in this instance since both mail and HTTP use DNS.

These challenges should work on their own through HestiaCP. Going to their forum is a good idea.