LetsEncrypt errors with external subdomain in VestaCP

marcelo4k · August 7, 2020, 3:15pm

Hello,

I cannot add a LetsEncrypt certificate to externally pointed subdomains.
For example:
-mydomain.com is in HappyHosting
-I point A record for subdomain.mydomain.com in HappyHosting to CloudHosting, where I have my VestaCP
-I add subdomain.mydomain.com to my VestaCP webs
-I check the box for LetsEncrypt and I get an error

Can this be achieved by redirecting some “acme-challenge” folder/link to mydomain.com in HappyHosting via .htaccess in CloudHosting?

Best,
Marcelo

Osiris · August 7, 2020, 4:49pm

So far so good.

What’s the exact error? The more information the better.

That shouldn’t be necessary and would only complicate things. If there’s just a small amount of servers involved (I’m counting just two here), IMHO it would be best to let the server who ultimately uses the certificate also get the certificate, including the validation process.

marcelo4k · August 7, 2020, 4:57pm

Thanks Osiris, the error displayed:
Error: Let’s Encrypt validation status 400

Best,
Marcelo

Osiris · August 7, 2020, 5:05pm

That could be literally anything and unfortunately doesn’t help us. It just says the validation was unsuccesful. Does VestaCP have some kind of verbos log?

marcelo4k · August 7, 2020, 5:18pm

Trying to get some more info; please take into account that this problem happens only for external subdomains - if I have the domain’s DNS on DigitalOcean (alias CloudHosting;), everything goes fine and VestaCP gets LE certificates without errors. But if a subdomain is pointed from an external server where the main domain is held (HappyHosting in my example) the problem arises.

Best

Osiris · August 7, 2020, 5:27pm

It shouldn’t matter where the DNS is hosted, assuming the DNS service isn’t malfunctioning. The latter could be the case, but without the actual hostname we can’t test this. You might try to test it yourself on https://unboundtest.com/ if you really don’t want to share the hostname. (The questionnaire of the Help section you’ve deleted when you started this thread does mention sharing of the hostname is mandatory for getting help by the way…)

marcelo4k · August 7, 2020, 5:37pm

Thank you Osiris, the response appears to be ok:
Response:
;; opcode: QUERY, status: NOERROR, id: 34881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;sudomain.mydomain.com. IN CAA

;; AUTHORITY SECTION:
mydomain.com. 0 IN SOA …

Osiris · August 7, 2020, 5:55pm

That’s the CAA record you’ve checked. No error and no answer is fine.

I must say, checking the DNS is just one of many steps in debugging this kind of issue. Chances are very large there’s nothing wrong with the DNS and the problem exists somewhere else. Without the questionnaire, we can’t help you further if DNS isn’t the issue.

system · September 6, 2020, 5:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.