Unable to install SSL certificate from Let's Encrypt extension. The following error is shown:
PLESK_ERROR: Challenge marked as invalid
PLESK_ERROR: Error: Unable to obtain Let's Encrypt SSL certificate because of failed challenge for domain "example.com"
PLESK_ERROR: Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/ExvXWHAk9uY6wdWH4MGO5s3Nul_DqwymszAC44RM33A.
Let's Encrypt cannot access its files placed in domain's directory.
Let's Encrypt creates temporary files in the depths of the domain's document root in order to create a certificate and verify that you own this domain. The following things should be checked in order to get an SSL certificate installed:
Note: Let's Encrypt gives only 6 attempts to obtain a certificate in a week for a certain domain.
Make sure that the domain name resolves to the same IP address on which the domain's hosting is set up in Plesk. Apache and IIS virtual hosts are created to strictly match the hostname and IP address and, if a request for a domain comes to an IP address other than the one specified in the virtual host configuration, Let's Encrypt will be unable to verify the website and give you a certificate.
To find out the IP address the virtual host uses, check hosting settings of the domain ( Domains > example.com > Web Hosting Access. Then, compare this IP address with the IP address the domain resolves into. In addition, try verifying the DNS record against several DNS servers, including your own (see KB article #213912165 for more information on how to trace name resolution problems):
C:\> nslookup example.com
If a mismatch is found, change the DNS records or reassign the domain to correct the IP address.
- Make sure that the website is accessible by HTTP. Disable HTTPs redirect in Plesk > Domains > example.com > Hosting Settings.
- (Windows)Make sure that the option
Require SSLis turned off in IIS > Server > Sites > example.com > SSL Settings.
- Make sure that there aren't problems with vhosts configuration files with Webserver Configuration troubleshooter extension.
- Domain should have a DNS A record for the main name, without www prefix.
If the server contains custom rewrite rules, disable them by renaming
- Remove custom rewrite rules from Plesk > Domains > example.com > Apache & nginx settings.
- Temporary move/rename website's index page if it contains special redirect code.
- Restore default Plesk templates if there were changes.
- Make sure that there is no IPv6 DNS record in Plesk > Domains > example.com > DNS Settings if it is not enabled on the domain. Remove the record or assign IPv6 address.
- Make sure that the option Run the website in compatibility mode for the legacy option "Separate SSL/TLS and non-SSL/TLS content is not enabled in Plesk > Tools & Settings > Domains > example.com > Hosting Settings
- Remove directory
- Try to obtain a certificate and if successful, revert all the required changes back if required.
If the issue persists, or during the troubleshooting, the error was encountered, please check for the following available articles or search the solution in Knowledge Base :
- Unable to install Let's Encrypt SSL certificate on LiteSpeed web server: Invalid response: 502 Bad Gateway
- Error while installing Let's Encrypt certificate on Umbraco CMS: Could not connect to example.com
- Unable to install Let's Encrypt SSL Certificate for domain: Invalid response 503
#115001463089 [HUB] 502 Bad Gateway
#115001611805 [HUB] 504 Gateway Timeout
#115001745365 [HUB] 99: Cannot assign requested address and AH00072: make_sock: could not bind to address
#115001874705 [HUB] 403 Forbidden
#213415429 [HUB] Unable to login to Plesk
#115002107425 [HUB] 503 Service Unavailable