Articles in this section

See more

Troubleshooting failed certificate installation in Plesk Let's Encrypt extension

Avatar
Alexandr Tumanov
Updated
Follow

Applicable to:

  • Plesk Onyx for Linux
  • Plesk Onyx for Windows

Warning: Firstly, update the extension to the latest version according to How to update Plesk extensions. If there are no menus like Tools & Settings in Plesk installation, contact server's administrator or hosting provider's support for help, this means that account access is limited.

General information

The article provides troubleshooting steps for errors that may be shown during Let's Encrypt certificate installation using Plesk Let's Encrypt extension. Errors may be different, one of the following errors might be shown:

PLESK_ERROR: Challenge marked as invalid

PLESK_ERROR: Error: Unable to obtain Let's Encrypt SSL certificate because of failed challenge for domain "example.com"

PLESK_ERROR: Domain validation failed for example.com: Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/ExvXWHAk9uY6wdWH4MGO5s3Nul_DqwymszAC44RM33A.

PLESK_ERROR: Could not obtain directory: Invalid response: <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY> An error occurred while processing your request.<p> Reference&#32;&#35;97&#46;5df01202&#46;1503333384&#46;cd3126d </BODY></HTML> . Status: 504.

PLESK_ERROR: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.

Troubleshooting steps

The following things should be checked in order to get an SSL certificate installed:

Note: Let's Encrypt gives only 50 attempts to obtain a certificate in a week for a certain domain.

  1. Make sure that the domain is accessible through the internet.
  2. Make sure that the domain name resolves into the IP address which is set for the domain in Plesk hosting. Apache and IIS virtual hosts are created to strictly match the hostname and IP address. If a request for a domain comes to an IP address other than the one specified in the virtual host configuration, Let's Encrypt is unable to verify the website and give a certificate.
    To find out the IP address the virtual host uses, check hosting settings of the domain at Domains > example.com > Web Hosting Access. Then compare this IP address with the IP address the domain resolves into using any 3rd-party service like http://get-site-ip.com
    If a mismatch is found, change the DNS records or reassign the domain to correct the IP address. Contact hosting provider's or domain registrar's support if required.
  3. Domain should have a DNS A record for the main name, without www prefix in Plesk > Domains > example.com > DNS Settings
  4. If the server contains custom rewrite rules, disable them by renaming .htaccess file or web.config. Also, remove custom rewrite rules from Plesk > Domains > example.com > Apache & nginx settings.
  5. Temporarily move/rename website's index page if it contains special redirect code.
  6. If IPv6 is not enabled for the domain, make sure that there is no IPv6 DNS record in Plesk > Domains > example.com > DNS Settings. Remove the record or assign an IPv6 address.
  7. Make sure that the Run the website in compatibility mode for the legacy option "Separate SSL/TLS and non-SSL/TLS content Plesk > Domains > example.com > DNS Settings option is not enabled in Plesk > Tools & Settings > Domains > example.com > Hosting Settings
  8. Try to obtain a certificate. In case of success, revert all the required changes back, if required.

Additional steps:

  • Remove httpdocs/.well-known/ directory if exists at Plesk - Domains > example.com > File Manager as it may have incorrect permissions.
  • Restore default Plesk templates if they were customized.
  • Disable Permanent SEO-safe 301 redirect from HTTP to HTTPS option from Domains > example.com > Hosting Settings, and re-issue Let's Encrypt certificate.

Related HUBs

Comments

11 comments

Sort by Date Votes
  • Avatar
    Sean Owen

    Helpful

     

    0
    Permalink
  • Avatar
    .

    You can also create a link from httpsdocs/.well-known to httpdocs/.well-known and keep option 'Run the website in compatibility mode for the legacy option "Separate SSL/TLS and non-SSL/TLS content"' enabled. This solved issue "The authorization token is not available at https://domain.tld/.well-known/acme-challenge/*** . To resolve the issue, make it is possible to download the token file via the above URL.".

    0
    Permalink
  • Avatar
    QiQQ

    We also had a problem renewing the Let's Encrypt certificates. This was because we where having a URL rewrite rule that automatically redirected all requests from HTTP to HTTPS, As written above "Let's Encrypt creates temporary files in the depths of the domain's document root in order to create a certificate and verify that you own this domain". This temporary folder is named ".well-known". We excluded this folder from the rewrite rule, now Plesk Let's Encrypt extension is working properly. So add an exclude and it will work, you don't need to use all suggestions ass written above.

    0
    Permalink
  • Avatar
    Lev Iurev

    @QiQQ correct. the same is briefly described in 6 step

    0
    Permalink
  • Avatar
    Yulia Plokhotnikova

    @.

    Hello there,

    Thanks for sharing a feedback.

    0
    Permalink
  • Avatar
    Moritz Kornher

    Also doesn't work if Docker Proxy rules are setup. Unfortunately this breaks the auto-renewal. Would be nice to see alternative authentication methods supported (i.e. DNS)

    1
    Permalink
  • Avatar
    Ivan Postnikov

    @Moritz Kornher

    Thank you for sharing such case.

    Features regarding Let's Encrypt may be suggested here at Let's Encrypt official website.

    -1
    Permalink
  • Avatar
    Moritz Kornher

    Hi @Ivan
    I trust you already know that let's encrypt supports a DNS challenge and that in fact DNS-01 is the only way to validate wildcard domains.
    So just to be clear, this is a let's encrypt feature that is already available but the Plesk plugin does not support.

    0
    Permalink
  • Avatar
    Ivan Postnikov

    @Moritz Kornher

    Yes, indeed, Let's Encrypt wildcard certificates are issued using DNS challenge.

    This feature will be released in future updates of Let's Encrypt extension. Plesk developers are working on update.

    All suggestions about additional required Plesk functionality may be left here.

     

    0
    Permalink
  • Avatar
    Douglas Kelly

    These resolutions did not fix my problems (400 error). I've accomplished everything from this page.

    I have 3 other domains protected using the LetsEncrypt cert plugin, so I know it works, I just cannot find the issue with this domain. I also tried a CloudFlare SSL and that also shows that it's not valid. I've renamed the .htaccess, I've remmed the rewrite rules within Plesk - seriously everything I can find. 

    If anyone else has any other potential fixes, I'm all ears. 

    Also at the top of this article it says only 6 attempts per week - I've read other places that it's 5 attempts per hour. Which is true?

    0
    Permalink
  • Avatar
    Artyom Baranov

    @Douglas Kelly,

    Hello! If this article did not help and there is no other article in our Knowledgebase which may help you, I can suggest contacting Plesk support according to the following article: https://support.plesk.com/hc/en-us/articles/213608509

    0
    Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles