After clicking Issue Certificate on a domain, the status changes to "Pending" and stays there. The certificate never activates.
Normal Behavior First
Certificate issuance is asynchronous. After clicking Issue, the Agent calls Certbot in the background. Certbot contacts Let's Encrypt, completes the HTTP-01 challenge, and downloads the certificate. On a healthy server with correct DNS, this takes between 10 and 45 seconds.
Wait at least 60 seconds before troubleshooting. Refresh the domain's SSL panel to re-poll the status. If it shows "Active" after refreshing, you are done.
If it is still Pending after 60 seconds, proceed below.
Step 1: Check Agent Logs for Certbot Output
journalctl -u opterius-agent | grep -i certbot
This shows what Certbot actually said. Look for error messages — they are usually specific enough to point directly to the cause.
Step 2: Check the Certificate State
SSH in and run:
certbot certificates
This lists all certificates Certbot knows about. If the domain appears with a future expiry, the certificate was actually issued but the Agent didn't write the result back — restart the Agent to re-sync:
systemctl restart opterius-agent
If the domain does not appear at all, issuance failed. Read the Certbot output carefully.
Common Causes
Port 80 is blocked. Let's Encrypt's HTTP-01 challenge requires port 80 to be reachable from the internet. Many cloud providers block inbound port 80 in their external firewall by default, separate from the OS firewall. Check:
- Your cloud provider's firewall/security group rules (Linode Cloud Firewall, AWS Security Group, etc.)
- OS-level firewall:
ufw statusoriptables -L - Certbot logs:
journalctl -u opterius-agent | grep certbotwill show the ACME error
Allow port 80 from 0.0.0.0/0 — Let's Encrypt does not use a fixed IP range.
DNS not pointing to this server. The domain must resolve to this server's IP before Certbot can validate it. Check:
dig +short yourdomain.example.com
If the IP doesn't match your server, update the DNS record and wait for propagation (typically 1–15 minutes for zones managed by Opterius's PowerDNS, longer for external DNS).
Let's Encrypt rate limit. Let's Encrypt limits certificate issuance to 5 duplicate certificates per week per domain. If you have been issuing and revoking repeatedly during testing, you may be rate-limited. Check letsencrypt.org/docs/rate-limits. The error in the Certbot output will say "too many certificates already issued."
Domain doesn't exist in Nginx yet. If the subdomain was just created, Nginx must have reloaded before the HTTP-01 challenge can be served. The Agent handles this automatically, but if Nginx failed to reload (check systemctl status nginx), the challenge will 404.
Force Re-Poll
From the Panel UI, click the domain's SSL status indicator to re-poll without re-issuing. This is safe to do at any time — it just asks the Agent for the current certificate state.
To actually retry issuance (after fixing the underlying cause), click Issue Certificate again.