Error: Let's Encrypt validation status 400

[rogero]

Many domain names get Error: Let's Encrypt validation status 400 Some are automatically renewed after migration to new server with myvestacp. But new and other domain names are not getting renewed

[myVesta]

You need correctly configured DNS.

If you are using your own nameservers, then, for your server hostname check the following:

• In your DNS you should have NS1 and NS2 as A record that is pointing to IPv4 of your server hostname
• NS1 and NS2 should be registered as Nameservers at the register of your domain.

If you are using other DNS service, like CloudFlare, for example, then:

• Double check if both www and non-www are pointing to your IPv4 - use https://mxtoolbox.com/DNSLookup.aspx for checking
• Remove AAAA records in DNS - use https://mxtoolbox.com/IPv6.aspx for checking (should return "DNS Record not found")

(CloudFlare is exception for IPv6, it will return it's own IPv4 and IPv6, and that's fine)

Also, check the LetsEncrypt log:

Code: Select all

tail -n 300 /usr/local/vesta/log/letsencrypt.log

At least, get the latest version of myVesta:

Code: Select all

sudo /usr/local/vesta/bin/v-update-myvesta

[kjernekrafttrikk]

Same problem. I have IDN (cyrillic), that brings problems like this not the first time. Latin domains are updated OK.
Here's part of letsencrypt.log, in which, I guess, the main drama is:

Code: Select all

[Sun 21 May 2023 07:36:57 PM EET] : sleep 4 (i=2)
[Sun 21 May 2023 07:37:01 PM EET] : - Doing pol check on status
[Sun 21 May 2023 07:37:01 PM EET] : query_le_v2 "https://acme-v02.api.letsencrypt.org/acme/chall-v3/229834129207/h>
[Sun 21 May 2023 07:37:02 PM EET] : answer=HTTP/2 400
server: nginx
date: Sun, 21 May 2023 17:37:02 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 907667017
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 5CA2fM78-qmdY7N7bMHCQ3WT0vfOyMQRBkXm4tPN6xz1XRU

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}
[Sun 21 May 2023 07:37:02 PM EET] : url2=
[Sun 21 May 2023 07:37:02 PM EET] : validation=
[Sun 21 May 2023 07:37:02 PM EET] : nonce=5CA2fM78-qmdY7N7bMHCQ3WT0vfOyMQRBkXm4tPN6xz1XRU
[Sun 21 May 2023 07:37:02 PM EET] : status=400
[Sun 21 May 2023 07:37:02 PM EET] : EXIT=Let's Encrypt validation status 400

[kjernekrafttrikk]

Same problem. I have IDN (cyrillic), that brings problems like this not the first time. Latin domains are updated OK.
Here's part of letsencrypt.log, in which, I guess, the main drama is:

Code: Select all

[Sun 21 May 2023 07:36:57 PM EET] : sleep 4 (i=2)
[Sun 21 May 2023 07:37:01 PM EET] : - Doing pol check on status
[Sun 21 May 2023 07:37:01 PM EET] : query_le_v2 "https://acme-v02.api.letsencrypt.org/acme/chall-v3/229834129207/h>
[Sun 21 May 2023 07:37:02 PM EET] : answer=HTTP/2 400
server: nginx
date: Sun, 21 May 2023 17:37:02 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 907667017
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 5CA2fM78-qmdY7N7bMHCQ3WT0vfOyMQRBkXm4tPN6xz1XRU

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}
[Sun 21 May 2023 07:37:02 PM EET] : url2=
[Sun 21 May 2023 07:37:02 PM EET] : validation=
[Sun 21 May 2023 07:37:02 PM EET] : nonce=5CA2fM78-qmdY7N7bMHCQ3WT0vfOyMQRBkXm4tPN6xz1XRU
[Sun 21 May 2023 07:37:02 PM EET] : status=400
[Sun 21 May 2023 07:37:02 PM EET] : EXIT=Let's Encrypt validation status 400

By long and terrible research I've found the solution. There was my forced redirection from http to https. I turned it off and it started to work. It's still interesting, that other domains have the same rule and still are updated correctly. Dev, if it's worthable for you, so pay attention to this case.