Troubleshooting failed Let's Encrypt certificate installations for a domain in Plesk

Follow

Comments

21 comments

  • Avatar
    Sean Owen

    Helpful

     

    0
    Comment actions Permalink
  • Avatar
    DHH-SI

    You can also create a link from httpsdocs/.well-known to httpdocs/.well-known and keep option 'Run the website in compatibility mode for the legacy option "Separate SSL/TLS and non-SSL/TLS content"' enabled. This solved issue "The authorization token is not available at https://domain.tld/.well-known/acme-challenge/*** . To resolve the issue, make it is possible to download the token file via the above URL.".

    0
    Comment actions Permalink
  • Avatar
    QiQQ

    We also had a problem renewing the Let's Encrypt certificates. This was because we where having a URL rewrite rule that automatically redirected all requests from HTTP to HTTPS, As written above "Let's Encrypt creates temporary files in the depths of the domain's document root in order to create a certificate and verify that you own this domain". This temporary folder is named ".well-known". We excluded this folder from the rewrite rule, now Plesk Let's Encrypt extension is working properly. So add an exclude and it will work, you don't need to use all suggestions ass written above.

    0
    Comment actions Permalink
  • Avatar
    Lev Iurev

    @QiQQ correct. the same is briefly described in 6 step

    0
    Comment actions Permalink
  • Avatar
    Yulia Plokhotnikova

    @.

    Hello there,

    Thanks for sharing a feedback.

    0
    Comment actions Permalink
  • Avatar
    Moritz Kornher

    Also doesn't work if Docker Proxy rules are setup. Unfortunately this breaks the auto-renewal. Would be nice to see alternative authentication methods supported (i.e. DNS)

    1
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    @Moritz Kornher

    Thank you for sharing such case.

    Features regarding Let's Encrypt may be suggested here at Let's Encrypt official website.

    -1
    Comment actions Permalink
  • Avatar
    Moritz Kornher

    Hi @Ivan
    I trust you already know that let's encrypt supports a DNS challenge and that in fact DNS-01 is the only way to validate wildcard domains.
    So just to be clear, this is a let's encrypt feature that is already available but the Plesk plugin does not support.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    @Moritz Kornher

    Yes, indeed, Let's Encrypt wildcard certificates are issued using DNS challenge.

    This feature will be released in future updates of Let's Encrypt extension. Plesk developers are working on update.

    All suggestions about additional required Plesk functionality may be left here.

     

    0
    Comment actions Permalink
  • Avatar
    Douglas Kelly

    These resolutions did not fix my problems (400 error). I've accomplished everything from this page.

    I have 3 other domains protected using the LetsEncrypt cert plugin, so I know it works, I just cannot find the issue with this domain. I also tried a CloudFlare SSL and that also shows that it's not valid. I've renamed the .htaccess, I've remmed the rewrite rules within Plesk - seriously everything I can find. 

    If anyone else has any other potential fixes, I'm all ears. 

    Also at the top of this article it says only 6 attempts per week - I've read other places that it's 5 attempts per hour. Which is true?

    0
    Comment actions Permalink
  • Avatar
    Artyom Baranov

    @Douglas Kelly,

    Hello! If this article did not help and there is no other article in our Knowledgebase which may help you, I can suggest contacting Plesk support according to the following article: https://support.plesk.com/hc/en-us/articles/213608509

    0
    Comment actions Permalink
  • Avatar
    SE

    Hello,

    when I want to issue the ssl for just a domain the following error is shown:

    Error: Could not issue a Let's Encrypt SSL/TLS certificate for mydomain.com.
    Details
    Invalid response from https://acme-v02.api.letsencrypt.org/acme/challenge/82wRRjsp4gIjvsvzsCnDdRJg2ZU9pPMu0jl49-7J73k/17801667041.
    Details:
    Type: urn:ietf:params:acme:error:unauthorized
    Status: 403
    Detail: User account ID doesn't match account ID in authorization

     

    other domains have not any problem and ssl is issued as well. just for a domain I have this problem.

     

    How can I solve this issue?

    0
    Comment actions Permalink
  • Avatar
    Vladimir Chernikov

    Hello @SE,

    The issue should be on Let's Encrypt databases side but we have a solution.

    1. Connect to the server via SSH
    2. Find the corresponding JSON files using the following commands. Use actual domain name and issuer email address:
    # grep -r "john_doe@example.com" /usr/local/psa/var/modules/letsencrypt/registrations
    # grep -r "example.com" /usr/local/psa/var/modules/letsencrypt/orders
    3. Remove the json files founded on step 2
    4. Install Let's Encrypt certificate

    2
    Comment actions Permalink
  • Avatar
    SE

    Hello @Vladimir Chernikov

    Thank you for your solution but my server is windows.

    0
    Comment actions Permalink
  • Avatar
    SE

    I finally solved the issue :)

    thanks to @Vladimir Chernikov

     

    1- go to the the following path:

    C:\Program Files (x86)\Plesk\var\modules\letsencrypt\orders

    2- Find the file that includes your domain log. you can note to modify date to find that.

    3- Remove the file you founded in step2.

    4- Install let's Encrypt certificate again.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hi @SE,

    Thank you for letting us know.

    This information may be useful for Pleskians.

    1
    Comment actions Permalink
  • Avatar
    Gjimi

    Hello,

    Even though SSL is disabled under Hosting Settings, Certificate: Not selected and SSL certificate Let's Encrypt is deleted, but many errors can still be seen in panel.log: Invalid response from http://xxx.com/.well-known/acme -challenge/cceIRPm...


    Why does Plesk still try to renew or enable certificates even though everything is disabled with SSL and Let's Encrypt is no longer installed for xxx.com domain?

    Thousands of files are in a few days / weeks, in the directory /acme-challenge/.
    this is unnecessary disk space and resource allocations.

    0
    Comment actions Permalink
  • Avatar
    Alisa Kasyanova

    @Gjimi

    Please refer to the following article: https://support.plesk.com/hc/en-us/articles/115004383334-Let-s-Encrypt-notification-are-still-sent-after-a-domain-was-deleted

    0
    Comment actions Permalink
  • Avatar
    MTI Business Solutions Ltd.

    @Vladimir Chernikov should have his answer added to the top... thank you!!

    0
    Comment actions Permalink
  • Avatar
    Mike Manning

    Hi guys,

    I just installed the latest 18.0.23 Onyx and it said that:
    Webmail for domains with no physical hosting can now be secured with SSL/TLS certificates.

     

    I have a few few domains where we host email only however the website is with WIX or another provider.  I've tried everything to try and secure webmail + mail but for some reason it's still trying to add the let's encrypt for the main domain? I've made sure that hosting type is set to no hosting.  Is this a bug or am I doing something wrong? It'd be nice to be able to set up let's encrypt so clients can use mail.domainname.tld for their incoming/outgoing server.


    Could not issue an SSL/TLS certificate for domain.tld
    Details

    Could not request a Let's Encrypt SSL/TLS certificate for domain.tld.

    Go to http://domain.tld/.well-known/acme-challenge/ANhoQQFCixWeUioV4I6irmluL_yJfU_9OLh6Brr7cH8
    and сheck if the authorization token is available.
    If it is, try to request the certificate again. If the token is not available, there may be an issue with your DNS configuration.
    Your domain in Plesk is hosted on the IP address(es): x.x.x.x, but the DNS challenge used another IP: y.y.y.y.
    Make sure that the IP address(es) specified in the domain's DNS zone match the IP address(es) the domain is hosted on.
    If it does not help or if you cannot find an issue with your DNS configuration, use this KB article for troubleshooting.

    Cheers, Mike

    0
    Comment actions Permalink
  • Avatar
    Bulat Tsydenov

    @Mike Manning
    Hi,
    The feature introduced in Plesk Obsidian 18.0.23 to which you are referring means that it is now possible to assign an SSL certificate to a webmail on a domain in Plesk without hosting. In other words, it is now possible to upload your own certificate for domains without hosting and then assign them to webmail.

    This feature does not mean that it is now possible to issue a Let's Encrypt certificate for a domain without hosting, it is yet to be implemented. 

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request