Unable to renew Let's Encrypt certificate in Plesk: 403 Forbidden

Symptoms

• Let's Encrypt certificates fails to be issues or auto-renewed with the following error in Plesk UI:

  PLESK_ERROR: Status: 403
  Detail:
  <head><title>403 Forbidden</title></head>
  <body bgcolor="white">
  <center><h1>403 Forbidden</h1></center>
  <hr><center>"

• Deny directive is set in additional nginx or Apache directives in Domains > example.com > Apache & nginx Settings, e.g:

  CONFIG_TEXT: location ~ /\. {
  deny all;
  }

• The following entries appear in /var/www/vhosts/system/example.com/logs/proxy_error_log :

  CONFIG_TEXT: [error] 11940#0: *46281 access forbidden by rule, client: 203.0.113.2, server: example.com, request: "GET /.well-known/assetlinks.json HTTP/1.1", host: "example.com"

Cause

Communication between website and Let's Encrypt servers is prevented by restrictive web server settings.

Resolution

1. Log into Plesk.

2. Open Domains > example.com > Apache & nginx Settings:

   • Temporary remove deny directives from Additional Apache directives and Additional Nginx directives.

   • Set Deny access to the site to Default under Common Apache settings: