Unable to issue a Let's Encrypt certificate: The token file is either unreadable or does not have the read permission

Applicable to:

• Plesk for Windows

Symptoms

• Installation of a Let's Encrypt certificate fails with the following error message in Plesk:

  PLESK_ERROR: Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.
  The authorization token is not available at http://example.com/.well-known/acme-challenge/Ab87T7gZtQeJBq0C2I44O9egoe-WXTTlE-hBmdvDCHM.
  The token file 'С:\Inetpub\vhosts\example.com\.well-known\acme-challenge\Ab87T7gZtQeJBq0C2I44O9egoe-WXTTlE-hBmdvDCHM' is either unreadable or does not have the read permission.
  To resolve the issue, correct the permissions on the token file to make it is possible to download it via the above URL.
  Details:
  Type: urn:acme:error:unauthorized
  Status: 403
  Detail: Invalid response from http://example.com/.well-known/acme-challenge/Ab87T7gZtQeJBq0C2I44O9egoe-WXTTlE-hBmdvDCHM [203.0.113.2]: 500

• Optional symptoms:

  • A test .html file located in the directory С:\Inetpub\vhosts\example.com\.well-known\acme-challenge is not accessible from the Internet with the following error message in a browser:

    PLESK_INFO: HTTP Error 403.14 - Forbidden
    The page you are trying to access is secured with Secure Sockets Layer (SSL).

  • The following warning can be found at Plesk > Domains > example.com > Logs:

    PLESK_INFO: WARN [extension/letsencrypt] Cannot check the token file is readable by others

Cause

Rewrite rules to HTTPS that are enabled in domain settings prevent the challenge from happening. Issuance of a Let's Encrypt certificate works only via HTTP.

Resolution

1. Log into Plesk.

2. Go to Domains > example.com > File Manager and remove .well-known directory.

3. If custom redirect rules are configured in the web.config file, temporary rename it to web.config.orig: Click next to the web.config file > click Rename.

4. Temporary disable the option Permanent SEO-safe 301 redirect from HTTP to HTTPS at Domains > example.com > Hosting Settings:
   

5. Temporary disable the option Require SSL/TLS at Domains > example.com > IIS Settings:
   

6. Connect to the server via RDP and disable all HTTP<->HTTPS rules in IIS Manager at Server > Sites > example.com > URL Rewrite:
   

7. Install a Let's Encrypt certificate at Domains > example.com > Let's Encrypt.

8. Revert the changes that has been done on the steps 2, 3 and 4, if required.

Additional Information

Failed to issue a Let's Encrypt certificate: 404 Not Found.