Hestiacp y Let`s Encrypt

Help Ayuda (en Español)
1

Por favor, complete los campos del siguiente formulario para que podamos ayudarle de la mejor forma posible. Nota: debe proporcionar su nombre de dominio para obtener ayuda. Los nombres de dominio de los certificados emitidos se hacen públicos en los registros de Transparencia de Certificados (por ejemplo, https://crt.sh/?q=example.com), por lo que esconder aquí su nombre de dominio no sirve de nada, únicamente nos dificulta prestarle la ayuda solicitada.

Puedo leer las respuestas en Inglés (sí o no): SI

Mi dominio es: app.nredes.dev

Ejecuté este comando:v-add-letsencrypt-domain user app.nredes.dev

Produjo esta salida: Error: Let's Encrypt validation status 400 (app.nredes.dev). Details: Unable to update challenge :: authorization must be pending

Mi servidor web es (incluya la versión): ubuntu 20.04 con hestiacp

El sistema operativo en el que se ejecuta mi servidor web es (incluya la versión): ubuntu 20.4

Mi proveedor de alojamiento web (si aplica) es: Webuphosting.com

Puedo iniciar una sesión en una shell root en mi servidor (sí, no o no lo sé): si

Estoy usando un panel de control para administrar mi sitio (no o proporcione el nombre y la versión del panel de control): hestiacp 1.5.11

La versión de mi cliente es (por ejemplo, si usa certbot, muestre la salida de certbot --version o certbot-auto --version):

Todos los subdominios que tengo en ese servidor no me los valida. El dominio está alojado en webuphosting.com con un cpanel donde tengo direcciones A a cada subdominio.

2

I have this log:

Date Time: 2022-03-27 23:01:30
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: neomorbius
domain: citra.nredes.dev

  • aliases:
  • proto: http-01
  • wildcard:

==[Step 1]==

  • status: 200
  • nonce: 0002_6-TPC5DNY6UKOLg8sp14XbO_8QJhVLLZMoXpDXzMIY
  • answer: HTTP/2 200
    server: nginx
    date: Sun, 27 Mar 2022 21:01:31 GMT
    content-type: application/json
    content-length: 658
    cache-control: public, max-age=0, no-cache
    replay-nonce: 0002_6-TPC5DNY6UKOLg8sp14XbO_8QJhVLLZMoXpDXzMIY
    x-frame-options: DENY
    strict-transport-security: max-age=604800

==[API call]==
exit status: 0

==[Step 2]==

{
"status": "pending",
"expires": "2022-04-03T21:01:32Z",
"identifiers": [
{
"type": "dns",
"value": "citra.nredes.dev"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/92091404450"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/469244510/75099432630"
}

==[API call]==
exit status: 0

==[Step 3]==

  • status: 200
  • nonce: 01016CmkcbIzI74jaOOjpjmsQ8wkdzhM0zU8s27J0WXw5yw
  • url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/92091404450/rVkh5w
  • token: GV2VCP-p-bnwt18UJy0TabrswmYzYr89M-On-MUu7Zg
  • answer: HTTP/2 200
    server: nginx
    date: Sun, 27 Mar 2022 21:01:33 GMT
    content-type: application/json
    content-length: 797
    boulder-requester: 469244510
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
    replay-nonce: 01016CmkcbIzI74jaOOjpjmsQ8wkdzhM0zU8s27J0WXw5yw
    x-frame-options: DENY
    strict-transport-security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "citra.nredes.dev"
},
"status": "pending",
"expires": "2022-04-03T21:01:32Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/92091404450/rVkh5w",
"token": "GV2VCP-p-bnwt18UJy0TabrswmYzYr89M-On-MUu7Zg"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/92091404450/8yafDg",
"token": "GV2VCP-p-bnwt18UJy0TabrswmYzYr89M-On-MUu7Zg"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/92091404450/O0sAmg",
"token": "GV2VCP-p-bnwt18UJy0TabrswmYzYr89M-On-MUu7Zg"
}
]
}

==[API call]==
exit status: 0

==[Step 5]==

{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/92091404450/rVkh5w",
"token": "GV2VCP-p-bnwt18UJy0TabrswmYzYr89M-On-MUu7Zg"
}

==[API call]==
exit status: 0

==[Step 5]==

  • status: 400
  • nonce: 0102KOozpmJyuxFhSwlAl6IRwItgLgOy4doujaLBYVrTINQ
  • validation:
  • details: Unable to update challenge :: authorization must be pending
  • answer: HTTP/2 400
    server: nginx
    date: Sun, 27 Mar 2022 21:01:43 GMT
    content-type: application/problem+json
    content-length: 144
    boulder-requester: 469244510
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
    replay-nonce: 0102KOozpmJyuxFhSwlAl6IRwItgLgOy4doujaLBYVrTINQ

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Unable to update challenge :: authorization must be pending",
"status": 400
}

==[Abort Step 5]==
=> Wrong status

3

I think probably this is due to the fact that one of your domain's nameservers, ns2.tuhosting.cloud, is offline.

The process to obtain a certificate sometimes has trouble when there are only 2 nameservers and 1 is offline.

You can try again and hope for a different result, or you can ask your host why the nameserver is offline.

2 Likes
4

ok then i change all dns but i have same problem:

Date Time: 2022-03-28 18:54:03
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: neomorbius
domain: nredes.dev

  • aliases:
  • proto: http-01
  • wildcard:

==[Step 1]==

  • status: 200
  • nonce: 0102GuGfM6FPYZXPQQWQ2TDDOjIbGW4v8PPfGWYIzTk3E8E
  • answer: HTTP/2 200
    server: nginx
    date: Mon, 28 Mar 2022 16:54:04 GMT
    content-type: application/json
    content-length: 658
    cache-control: public, max-age=0, no-cache
    replay-nonce: 0102GuGfM6FPYZXPQQWQ2TDDOjIbGW4v8PPfGWYIzTk3E8E
    x-frame-options: DENY
    strict-transport-security: max-age=604800

==[API call]==
exit status: 0

==[Step 2]==

{
"status": "pending",
"expires": "2022-04-04T16:54:04Z",
"identifiers": [
{
"type": "dns",
"value": "nredes.dev"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/92375619820"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/469244510/75332701770"
}

==[API call]==
exit status: 0

==[Step 3]==

  • status: 200
  • nonce: 0102CjsxoJBs_InKHSNr81SLQ5ltVw7w6TSohUtkS_bJeWM
  • url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/92375619820/eH8LSw
  • token: _IvJ7iQBnIP3PuqGxokE8jAT8Vc6CXuXWjqT4Q5esZY
  • answer: HTTP/2 200
    server: nginx
    date: Mon, 28 Mar 2022 16:54:05 GMT
    content-type: application/json
    content-length: 791
    boulder-requester: 469244510
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
    replay-nonce: 0102CjsxoJBs_InKHSNr81SLQ5ltVw7w6TSohUtkS_bJeWM
    x-frame-options: DENY
    strict-transport-security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "nredes.dev"
},
"status": "pending",
"expires": "2022-04-04T16:54:04Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/92375619820/eH8LSw",
"token": "_IvJ7iQBnIP3PuqGxokE8jAT8Vc6CXuXWjqT4Q5esZY"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/92375619820/M-QQRQ",
"token": "_IvJ7iQBnIP3PuqGxokE8jAT8Vc6CXuXWjqT4Q5esZY"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/92375619820/rOK0zQ",
"token": "_IvJ7iQBnIP3PuqGxokE8jAT8Vc6CXuXWjqT4Q5esZY"
}
]
}

==[API call]==
exit status: 0

==[Step 5]==

{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/92375619820/eH8LSw",
"token": "_IvJ7iQBnIP3PuqGxokE8jAT8Vc6CXuXWjqT4Q5esZY"
}

==[API call]==
exit status: 0

==[Step 5]==

  • status: 400
  • nonce: 0002pWmMgz2lUHFrhD7jjy7C9-Rs0BUx2cyGCE3K9eyi8Oc
  • validation:
  • details: Unable to update challenge :: authorization must be pending
  • answer: HTTP/2 400
    server: nginx
    date: Mon, 28 Mar 2022 16:54:15 GMT
    content-type: application/problem+json
    content-length: 144
    boulder-requester: 469244510
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
    replay-nonce: 0002pWmMgz2lUHFrhD7jjy7C9-Rs0BUx2cyGCE3K9eyi8Oc

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Unable to update challenge :: authorization must be pending",
"status": 400
}

==[Abort Step 5]==
=> Wrong status

5

CleanShot 2022-03-28 at 19.04.11
CleanShot 2022-03-28 at 19.04.111136×964 45.3 KB

6

That picture says a lot!

Root Internet DNS systems says that your authoritative DNS servers are:

nredes.dev      nameserver = ns1.vpspanel.es [86.105.50.78]
nredes.dev      nameserver = ns2.vpspanel.es [217.61.97.30]

But when you are those servers, they say NOT, use:

nredes.dev      nameserver = ns1.vpspanel.com [64.98.145.30]
nredes.dev      nameserver = ns2.vpspanel.com [64.98.145.30]

[which is just one IP - single point of failure]

And when you ask that one IP, it say:

nslookup -q=ns nredes.dev 64.98.145.30
Server:  UnKnown
Address:  64.98.145.30
*** UnKnown can't find nredes.dev: No response from server

Your DNS is broken.

1 Like
7

now it work's fine. i have answer from dns and dns propagation.

but it doesn't work. i have same message error 400

CleanShot 2022-03-28 at 22.16.48

8 
Name:    url.hover.com
Address:  64.98.145.30

64.98.145.30 is unwilling to validate your DNS zone.

3 Likes
9

ok now i validate NREDES.DEV, parent domain, but i need to validate some subdomains, that are in same server (hestiacp). and i have this error when i like to validate it.

=============================
Date Time: 2022-03-29 15:39:08
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: neomorbius
domain: citra.nredes.dev

  • aliases:
  • proto: http-01
  • wildcard:

==[Step 1]==

  • status: 200
  • nonce: 0002Dv0kgMTED1RFc4bvXWOzo2QCHh0NednS5lRvo4BdUmE
  • answer: HTTP/2 200
    server: nginx
    date: Tue, 29 Mar 2022 13:39:09 GMT
    content-type: application/json
    content-length: 658
    cache-control: public, max-age=0, no-cache
    replay-nonce: 0002Dv0kgMTED1RFc4bvXWOzo2QCHh0NednS5lRvo4BdUmE
    x-frame-options: DENY
    strict-transport-security: max-age=604800

==[API call]==
exit status: 0

==[Step 2]==

{
"status": "pending",
"expires": "2022-04-05T13:39:10Z",
"identifiers": [
{
"type": "dns",
"value": "citra.nredes.dev"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/92670702650"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/469244510/75575114340"
}

==[API call]==
exit status: 0

==[Step 3]==

  • status: 200
  • nonce: 0101QTAPv-kwEkHViQUWitMIHJOj158JqNVFiXca-4sW7cw
  • url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/92670702650/iG3GuA
  • token: EJ0ANjMQN_IhutitZCWHj6RPiXsWQUJOYrgrRn0nYi8
  • answer: HTTP/2 200
    server: nginx
    date: Tue, 29 Mar 2022 13:39:10 GMT
    content-type: application/json
    content-length: 797
    boulder-requester: 469244510
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
    replay-nonce: 0101QTAPv-kwEkHViQUWitMIHJOj158JqNVFiXca-4sW7cw
    x-frame-options: DENY
    strict-transport-security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "citra.nredes.dev"
},
"status": "pending",
"expires": "2022-04-05T13:39:10Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/92670702650/iG3GuA",
"token": "EJ0ANjMQN_IhutitZCWHj6RPiXsWQUJOYrgrRn0nYi8"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/92670702650/pqnl6A",
"token": "EJ0ANjMQN_IhutitZCWHj6RPiXsWQUJOYrgrRn0nYi8"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/92670702650/IxEM0Q",
"token": "EJ0ANjMQN_IhutitZCWHj6RPiXsWQUJOYrgrRn0nYi8"
}
]
}

==[API call]==
exit status: 0

==[Step 5]==

{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/92670702650/iG3GuA",
"token": "EJ0ANjMQN_IhutitZCWHj6RPiXsWQUJOYrgrRn0nYi8"
}

==[API call]==
exit status: 0

==[Step 5]==

  • status: 400
  • nonce: 0001OBwc1tspiZkPjVp_yunQkOV4lIwmvFI6U5ro-Mgwh3Y
  • validation:
  • details: Unable to update challenge :: authorization must be pending
  • answer: HTTP/2 400
    server: nginx
    date: Tue, 29 Mar 2022 13:39:20 GMT
    content-type: application/problem+json
    content-length: 144
    boulder-requester: 469244510
    cache-control: public, max-age=0, no-cache
    link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
    replay-nonce: 0001OBwc1tspiZkPjVp_yunQkOV4lIwmvFI6U5ro-Mgwh3Y

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Unable to update challenge :: authorization must be pending",
"status": 400
}

==[Abort Step 5]==
=> Wrong status

10

You are NOT listening.
You are NOT understanding.

The DNS for your domain is broken.
When the domain DNS is broken, the DNS for all subdomains will also be broken.

1 Like