Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
The article provides troubleshooting steps for errors that may be shown during a Let's Encrypt certificate installation using the Let's Encrypt Plesk extension. The following errors are addressed in this article:
PLESK_ERROR: Challenge marked as invalid
PLESK_ERROR: Error: Unable to obtain Let's Encrypt SSL certificate because of failed challenge for domain "example.com"
PLESK_ERROR: Domain validation failed for example.com: Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/ExvXWHAk9uY6wdWH4MGO5s3Nul_DqwymszAC44RM33A.
PLESK_ERROR: Could not obtain directory: Invalid response: <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY> An error occurred while processing your request.<p> Reference #97.5df01202.1503333384.cd3126d </BODY></HTML> . Status: 504.
PLESK_ERROR: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
Troubleshooting Steps
Notes: This guide is intended for Plesk Onyx 17.5 and later versions.
If you are a domain owner, please contact your service provider for assistance with a Let's Encrypt certificate installation.
Let's Encrypt provides only 50 attempts to obtain an SSL certificate per week for a domain.
1. Checking domain's DNS settings
Make sure that the website resolves globally from the Internet to the same IPv4 (and IPv6, if configured on a domain registrar side) address that is set in Plesk at Domains > example.com > Web Hosting Access.
To find the global website's IP address:
-
use any online tool (for example, MxToolbox DNS Lookup for IPv4 and MxToolbox DNS Lookup IPv6 for IPv6)
OR
-
use Google DNS and the 'nslookup' utility in a command prompt of your PC/Mac:
MYSQL_LIN: nslookup <domain_name> dns.google
Example of using the 'nslookup' utilityIn this example, we are checking the global IP addresses of the website example.com:
MYSQL_LIN: nslookup example.com dns.google
Server: dns.google
Address: 8.8.4.4
Non-authoritative answer:
Name: example.com
Addresses: 2001:db8:f61:a1ff:0:0:0:80
203.0.113.2where
-
203.0.113.2 - public IPv4
-
2001:db8:f61:a1ff:0:0:0:80 - public IPv6. If IPv6 is not configured on a domain registrar side, it will not be shown in the output
-
If the IP addresses in Plesk differs from the global IP address on the Internet, apply one of the following solutions:
-
change the IP address, to which the domain resolves globally, at Domains > example.com > Web Hosting Access.
Note: If the domain is not using IPv6, make sure that IPv6 address is set to None and there are no IPv6 DNS records at Domains > example.com > DNS Settings. If such IPv6 records exist, remove them.
OR
-
change the IP address on a domain registrar side to the one that is specified in Plesk.
2. Checking the website availability
Once you have verified that the IP addresses match:
2.1. Website availability
Make sure that the website is accessible and browsable from the Internet (no 4xx and 5xx errors). If the website is showing a default Plesk page, create a test.txt file at Domains > example.com > File Manager and put some text into it. Then open this file in a web-browser at example.com/test.txt and make sure it is accessible from the Internet. If the file is not accessible, check website's configuration.
2.2. Additional steps for Plesk on Windows Server (if Plesk is installed on Linux, move to step 3)
Go to Domains > example.com > File Manager and:
-
disable custom rewrite rules in
web.config, if there are any. -
disable Microsoft ASP support and Microsoft ASP.NET support at Domains > example.com > Hosting Settings.
-
create a test.txt file in the
\.well-known\acme-challenge\folder (where Let's Encrypt stores its temporary files) and put some text into it. Then open this file in a web-browser at http://example.com/.well-known/acme-challenge/test.txt and make sure it is accessible from the Internet. If the file is not accessible, check website's configuration.
3. Disabling compatibility mode
If the domain has been migrated from legacy Plesk versions, make sure that the Run the website in compatibility mode for the legacy option "Separate SSL/TLS and non-SSL/TLS content" option is not enabled at Tools & Settings > Domains > example.com > Hosting Settings.
Comments
19 comments
Helpful
You can also create a link from httpsdocs/.well-known to httpdocs/.well-known and keep option 'Run the website in compatibility mode for the legacy option "Separate SSL/TLS and non-SSL/TLS content"' enabled. This solved issue "The authorization token is not available at https://domain.tld/.well-known/acme-challenge/*** . To resolve the issue, make it is possible to download the token file via the above URL.".
We also had a problem renewing the Let's Encrypt certificates. This was because we where having a URL rewrite rule that automatically redirected all requests from HTTP to HTTPS, As written above "Let's Encrypt creates temporary files in the depths of the domain's document root in order to create a certificate and verify that you own this domain". This temporary folder is named ".well-known". We excluded this folder from the rewrite rule, now Plesk Let's Encrypt extension is working properly. So add an exclude and it will work, you don't need to use all suggestions ass written above.
@QiQQ correct. the same is briefly described in 6 step
@.
Hello there,
Thanks for sharing a feedback.
Also doesn't work if Docker Proxy rules are setup. Unfortunately this breaks the auto-renewal. Would be nice to see alternative authentication methods supported (i.e. DNS)
@Moritz Kornher
Thank you for sharing such case.
Features regarding Let's Encrypt may be suggested here at Let's Encrypt official website.
Hi @Ivan
I trust you already know that let's encrypt supports a DNS challenge and that in fact DNS-01 is the only way to validate wildcard domains.
So just to be clear, this is a let's encrypt feature that is already available but the Plesk plugin does not support.
@Moritz Kornher
Yes, indeed, Let's Encrypt wildcard certificates are issued using DNS challenge.
This feature will be released in future updates of Let's Encrypt extension. Plesk developers are working on update.
All suggestions about additional required Plesk functionality may be left here.
These resolutions did not fix my problems (400 error). I've accomplished everything from this page.
I have 3 other domains protected using the LetsEncrypt cert plugin, so I know it works, I just cannot find the issue with this domain. I also tried a CloudFlare SSL and that also shows that it's not valid. I've renamed the .htaccess, I've remmed the rewrite rules within Plesk - seriously everything I can find.
If anyone else has any other potential fixes, I'm all ears.
Also at the top of this article it says only 6 attempts per week - I've read other places that it's 5 attempts per hour. Which is true?
@Douglas Kelly,
Hello! If this article did not help and there is no other article in our Knowledgebase which may help you, I can suggest contacting Plesk support according to the following article: https://support.plesk.com/hc/en-us/articles/213608509
Hello,
when I want to issue the ssl for just a domain the following error is shown:
Error: Could not issue a Let's Encrypt SSL/TLS certificate for mydomain.com.
Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/challenge/82wRRjsp4gIjvsvzsCnDdRJg2ZU9pPMu0jl49-7J73k/17801667041.
Details:
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: User account ID doesn't match account ID in authorization
other domains have not any problem and ssl is issued as well. just for a domain I have this problem.
How can I solve this issue?
Hello @SE,
The issue should be on Let's Encrypt databases side but we have a solution.
1. Connect to the server via SSH
2. Find the corresponding JSON files using the following commands. Use actual domain name and issuer email address:
# grep -r "john_doe@example.com" /usr/local/psa/var/modules/letsencrypt/registrations
# grep -r "example.com" /usr/local/psa/var/modules/letsencrypt/orders
3. Remove the json files founded on step 2
4. Install Let's Encrypt certificate
Hello @Vladimir Chernikov
Thank you for your solution but my server is windows.
I finally solved the issue :)
thanks to @Vladimir Chernikov
1- go to the the following path:
C:\Program Files (x86)\Plesk\var\modules\letsencrypt\orders
2- Find the file that includes your domain log. you can note to modify date to find that.
3- Remove the file you founded in step2.
4- Install let's Encrypt certificate again.
Hi @SE,
Thank you for letting us know.
This information may be useful for Pleskians.
Hello,
Even though SSL is disabled under Hosting Settings, Certificate: Not selected and SSL certificate Let's Encrypt is deleted, but many errors can still be seen in panel.log: Invalid response from http://xxx.com/.well-known/acme -challenge/cceIRPm...
Why does Plesk still try to renew or enable certificates even though everything is disabled with SSL and Let's Encrypt is no longer installed for xxx.com domain?
Thousands of files are in a few days / weeks, in the directory /acme-challenge/.
this is unnecessary disk space and resource allocations.
@Gjimi
Please refer to the following article: https://support.plesk.com/hc/en-us/articles/115004383334-Let-s-Encrypt-notification-are-still-sent-after-a-domain-was-deleted
@Vladimir Chernikov should have his answer added to the top... thank you!!
Please sign in to leave a comment.