- Plesk for Linux
- Plesk for Windows
The article provides troubleshooting steps for errors that may be shown during a Let's Encrypt certificate installation using the Let's Encrypt Plesk extension. The following errors are addressed in this article:
PLESK_ERROR: Challenge marked as invalid
PLESK_ERROR: Error: Unable to obtain Let's Encrypt SSL certificate because of failed challenge for domain "example.com"
PLESK_ERROR: Domain validation failed for example.com: Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/ExvXWHAk9uY6wdWH4MGO5s3Nul_DqwymszAC44RM33A.
PLESK_ERROR: Could not obtain directory: Invalid response: <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY> An error occurred while processing your request.<p> Reference #97.5df01202.1503333384.cd3126d </BODY></HTML> . Status: 504.
PLESK_ERROR: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
Notes: This guide is intended for Plesk Onyx 17.5 and later versions.
If you are a domain owner, please contact your service provider for assistance with a Let's Encrypt certificate installation.
Let's Encrypt provides only 50 attempts to obtain an SSL certificate per week for a domain.
1. Checking domain's DNS settings
Make sure that the website resolves globally from the Internet to the same IPv4 (and IPv6, if configured on a domain registrar side) address that is set in Plesk at Domains > example.com > Web Hosting Access.
To find the global website's IP address:
use Google DNS and the 'nslookup' utility in a command prompt of your PC/Mac:
MYSQL_LIN: nslookup <domain_name> dns.google
If the IP addresses in Plesk differs from the global IP address on the Internet, apply one of the following solutions:
change the IP address, to which the domain resolves globally, at Domains > example.com > Web Hosting Access.
Note: If the domain is not using IPv6, make sure that IPv6 address is set to None and there are no IPv6 DNS records at Domains > example.com > DNS Settings. If such IPv6 records exist, remove them.
change the IP address on a domain registrar side to the one that is specified in Plesk.
2. Checking the website availability
Once you have verified that the IP addresses match:
2.1. Website availability
Make sure that the website is accessible and browsable from the Internet (no 4xx and 5xx errors). If the website is showing a default Plesk page, create a test.txt file at Domains > example.com > File Manager and put some text into it. Then open this file in a web-browser at example.com/test.txt and make sure it is accessible from the Internet. If the file is not accessible, check website's configuration.
2.2. Additional steps for Plesk on Windows Server (if Plesk is installed on Linux, move to step 3)
2.2.1. Go to Domains > example.com > IIS Settings and disable the option Require SSL/TLS.
2.2.2. Go to Domains > example.com > File Manager and:
disable custom rewrite rules in
web.config, if there are any.
disable Microsoft ASP support and Microsoft ASP.NET support at Domains > example.com > Hosting Settings.
create a test.txt file in the
\.well-known\acme-challenge\folder (where Let's Encrypt stores its temporary files) and put some text into it. Then open this file in a web-browser at http://example.com/.well-known/acme-challenge/test.txt and make sure it is accessible from the Internet over HTTP without www prefix. If the file is not accessible, check website's configuration.
3. Disabling compatibility mode
If the domain has been migrated from legacy Plesk versions, make sure that the Run the website in compatibility mode for the legacy option "Separate SSL/TLS and non-SSL/TLS content" option is not enabled at Tools & Settings > Domains > example.com > Hosting Settings.