Let's encrypt installation fails with 'Challenge marked as invalid' error


2017-05-26 11:55:47 UTC


2017-08-11 10:24:55 UTC


Was this article helpful?

Have more questions?

Submit a request

Let's encrypt installation fails with 'Challenge marked as invalid' error

Applicable to:

  • Plesk


Unable to install SSL certificate from Let's Encrypt extension. The following error is shown:

PLESK_ERROR: Challenge marked as invalid


Let's Encrypt cannot access its files placed in domain's directory.


Let's Encrypt creates temporary files in the depths of the domain's document root in order to create a certificate and verify that you own this domain. The following things should be checked in order to get an SSL certificate installed:

Note: Let's Encrypt gives only 6 attempts to obtain a certificate in a week for a certain domain.

  1. Make sure that the domain name resolves to the same IP address on which the domain's hosting is set up in Plesk. Apache and IIS virtual hosts are created to strictly match the hostname and IP address and, if a request for a domain comes to an IP address other than the one specified in the virtual host configuration, Let's Encrypt will be unable to verify the website and give you a certificate.

    To find out the IP address the virtual host uses, check hosting settings of the domain ( Domains > example.com > Web Hosting Access. Then, compare this IP address with the IP address the domain resolves into. In addition, try verifying the DNS record against several DNS servers, including your own (see KB article #213912165 for more information on how to trace name resolution problems):

    C:\\>nslookup example.com
    Name: example.com

    If a mismatch is found, change the DNS records or reassign the domain to correct the IP address.

  2. Make sure that the website is accessible by HTTP. Disable HTTPs redirect in Plesk > Domains > example.com > Hosting Settings.
  3. (Windows)Make sure that the option Require SSL is turned off in IIS > Server > Sites > example.com > SSL Settings.
  4. If the server contains custom rewrite rules, disable them by renaming .htaccess file or web.config.

  5. Remove custom rewrite rules from Plesk > Domains > example.com > Apache & nginx settings.
  6. Temporary move/rename website's index page if it contains special redirect code.
  7. Restore default Plesk templates if there were changes.
  8. Make sure that there is no IPv6 DNS record in Plesk > Domains > example.com > DNS Settings if it is not enabled on the domain. Remove the record or assign IPv6 address.
  9. Make sure that the option Run the website in compatibility mode for the legacy option "Separate SSL/TLS and non-SSL/TLS content is not enabled in Plesk > Tools & Settings > Domains > example.com > Hosting Settings
  10. Remove directory /var/www/vhosts/example.com/httpdocs/.well-known/
  11. Try to obtain a certificate and if successful, revert all the required changes back if required.

If the issue persists, or during the troubleshooting, the error was encountered, please check for the following available articles or search the solution in Knowledge Base :

Related HUBs

Have more questions? Submit a request


Please sign in to leave a comment.