Error: Letsencrypt nonce request status vestacp

[Messiah]

Hello,
could such error happen due to DST Root CA X3 Expiration (September 30, 2021) ?

[electricsheep]

Hello,
could such error happen due to DST Root CA X3 Expiration (September 30, 2021) ?

Yes, in my case on debian 7 server ISRG Root X1 wasn't trusted so letsencrypt refreshes started failing.

To check you can try to run in SSH
curl -I "https://acme-v02.api.letsencrypt.org/directory"

If that fails with cert error you probably need to update ca certificates list

[Messiah]

Thank you for confirmation.
I've just guessed. Maybe that post will be useful for other people who will face with this error, since the solution few posts above WILL NOT solve this problem with expired DST Root CA X3

[youradds]

Did you work out how to get this sorted? We seem to have the same CA issue:

Code: Select all

curl -I "https://acme-v02.api.letsencrypt.org/directory"
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLf                                                                                                                                           ile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

[donriga]

tail -f /var/log/vesta/letsencrypt.log
[Tue Nov 9 12:37:04 UTC 2021] : --- Requesting nonce / STEP 1 ---
[Tue Nov 9 12:37:04 UTC 2021] : curl -s -I "https://acme-v02.api.letsencrypt.org/directory"
[Tue Nov 9 12:37:04 UTC 2021] : answer=
[Tue Nov 9 12:37:04 UTC 2021] : nonce=
[Tue Nov 9 12:37:04 UTC 2021] : status=
[Tue Nov 9 12:37:04 UTC 2021] : EXIT=Let's Encrypt nonce request status

Solved: apt-get install curl

[stephensaid]

None of the solutions I found solved this problem.

I've just guessed. Maybe that post will be useful for other people who will face with this error, since the solution few posts above WILL NOT solve this problem with expired DST Root CA X3

Running curl -l "https://acme-v02.api.letsencrypt.org/directory" outputs the following:

Code: Select all

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Does this mean we need to update the ca certificate list?
How do we do that?

I will soon have several sites without SSL, one of which has a lot of traffic!

Any help is appreciated.

[youradds]

What OS are you on? It looks like you need to update your root CA certificates. I did this on my server with:

Code: Select all

apt-get update
sudo apt-get install ca-certificates -y
sudo update-ca-certificates

Then restart the server. If it fixed it, you should be able to `curl` again like your test, but this time without an error. Hope that helps! (I spent hours and hours trying to figure that out)

[Vegas10128]

Good morning

We run sites on both cloud servers with Ubuntu
on Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-64-generic x86_64) with all latest update installed.

Yesterday we received email from root:
domain Error: lets encrypt nonce request status

I went to terminal and run
./v-add-letsencrypt-domain and got same error:
let's encrypt nonce status

How can i resolve the issue ?

Thanks

This might sound crazy, i was facing nonce request error.
Error 503 nonce when trying to generate ssl certificate using vesta control panel.

I found that removing the www. domain .com in the subdomain's box under the root domain, save, refresh page,
then generate new ssl certificate fixed the issue.

Now,
Before anyone says my domain records were not set correctly, i will be first to say they were triple checked and everything was set correctly.
No i did not change the A records prior to this issue.

This issue also did not happen until after vesta made a new update and the control panel theme was different.