Applicable to:
- Plesk for Windows
Symptoms
- Cannot issue Let's Encrypt certificate for a domain in Plesk for Windows:
PLESK_ERROR: Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.
The authorization token is not available at http://example.com/.well-known/acme-challenge/.
To resolve the issue, make it is possible to download the token file via the above URL.
See the related Knowledge Base article for details.
Additional error details:
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/_oRgI1kwh53Fr07VRtI-55Zj7NqY75KI5e41PCsQqow.
Details:
Type: urn:acme:error:unauthorized
Status: 403
Detail: Invalid response from http://example.com/.well-known/acme-challenge/uxIoK_7-BjsuBu362yQ_QD5ovykddVeyKEgfEAre9P8: "\
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailablePLESK_ERROR: Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/1YlUBtqQj2_y-a27jw543sFO0SaxHxlbw_XmASO2jwI.
Details:
Type: urn:acme:error:unauthorized
Status: 403PLESK_ERROR: The authorization token is not available at http://example.com/page1/WZHzw8e9HGAqMz-Kvu76RvNc9OiqiXZ-ee1AjTGrjkM.
The token file 'D:\domains\example.com\httpdocs\\page1\WZHzw8e9HGAqMz-Kvu76RvNc9OiqiXZ-ee1AjTGrjkM' is either unreadable or does not have the read permission.
To resolve the issue, correct the permissions on the token file to make it is possible to download it via the above URL. test.txtfile created in theexample.com\httpdocs\.well-known\acme-challenge\folder is not accessible in browser athttp://example.com/.well-known/acme-challenge/test.txt:PLESK_INFO: The page cannot be displayed because an internal server error has occurred.
CONFIG_TEXT: 404 Not Found
CONFIG_TEXT: 403 Forbidden
Cause
A Let's Encrypt authorization token is handled as ASP application due to site code and configuration.
Resolution
- Log in to Plesk server via RDP
-
Rename the
web.configfile toweb.config.bakin theexample.com\httpdocsfolder:
-
Disable Microsoft ASP support and Microsoft ASP.NET support at Domains > example.com > Hosting Settings:
-
Make sure
test.txtfile created in theexample.com\httpdocs\.well-known\acme-challenge\folder is accessible from the Internet athttp://example.com/.well-known/acme-challenge/test.txt -
Install a Let's Encrypt certificate at Domains > example.com > SSL/TLS Certificates.
-
Enable Microsoft ASP support and Microsoft ASP.NET support back:
-
Rename the
web.config.bakfile toweb.configback:
Comments
10 comments
I got as far as step #4 and could not create a Let's Encrypt certificate - only the following error:
Error: Could not issue a Let's Encrypt SSL/TLS certificate for mydomain.com. Authorization for the domain failed.
Details
Details:
Type: urn:acme:error:tls
Status: 400
Detail: Fetching https://mydomain.com/.well-known/acme-challenge/9ll2APvcmH1uhKztKnZOx8RguxItvm7xy5ZvGgr48ME: local error: tls: no renegotiation
Hello @keith,
Please, make sure that web access to domain folder httpdocs\.well-known\acme-challenge is not being blocked by domain configuration.
For Windows server web.config configuration may be the cause, for Linux check additional directives and .htaccess files.
Also, please, try this:
If 301 redirect is enabled:
Go to Domains > example.com > Hosting Settings and perform the following steps:
Set Preferred domain to none.
Uncheck the option Permanent SEO-safe 301 redirect from HTTP to HTTPS.
If 302 redirect is enabled:
Go to Domains > example.com > Hosting Settings and perform the following steps:
Turn off domain forwarding by changing Hosting type to Hosting.
Changes to the 301 redirect option worked initially but when it came time to renew the cert again, Let's Encrypt would not renew so I tried these steps again but this time they didn't work! There is no 302 redirect for this domain. Plesk won't allow me to delete the cert (see error below). I even tried deleting it in IIS 8 but on refreshing, it returned. Of course I disabled SSL on the domain before attempting to delete. Fresh out of ideas other than the drastic step of cloning the site to another webspace and starting all over.
Unable to remove SSL/TLS certificates. One or more certificates are used by websites.
@keith elman
Please check this article https://support.plesk.com/hc/en-us/articles/115004346154-Unable-to-remove-an-SSL-certificate-from-a-domain-in-Plesk-if-SSL-TLS-support-is-disabled-One-or-more-certificates-are-used-by-websites-
This solution does not apply anymore in Plesk Obsidian, as Plesk does not use the /.well-kown/ files anymore !
Instead, Plesk use a TXT record to the DNS Zone. That is useless, because we use another Name Server, and Plesk does not act as Name Server. How to have Plesk Obsidian Windows still using the good old reliable /.well-known/ method ?
@Alex Laforge,
As far as I see, you have already created a ticket for our Support Team and the issue is solved.
Hi @...,
Yes, your technical support solved the situation. In fact, for those who come to this page, you must know that, to issue certificates, Let's Encrypt servers use two types of challenges:
More information are available at this page https://letsencrypt.org/docs/challenge-types/
I wish that this information wouldbe more clearly displayed inside Plesk, or on the SSL-related Plesk Documentation pages.
Hello @Alex,
Glad to hear it's resolved and thank you for the feedback, I've forwarded it to the team in charge.
I just started having this issue happen on several of my sites in the last 2-3 weeks.
This workaround resolves the issue for me in Obsidian Version 18.0.28.
The site code and configuration has not change, so is there an ETA on when an actual fix will be implemented for this?
Hello Tommy ODonnell
The issue in this article is caused by misconfiguration.
In your case, there might be a different cause. I would suggest submitting a support request to us or ou partner to have a deeper look and check what happened on the server before the issue appearing.
Please sign in to leave a comment.