Articles in this section

See more

Let's Encrypt certificate installation/renewal fails for a domain in Plesk: Incorrect TXT record found at _acme-challenge.example.com

Avatar
Aleksei Khikhich
Updated
Follow
Plesk for Windows Plesk for Linux kb: technical ext: le ext: sslit

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Symptoms

  • It is not possible to issue or renew the Let's Encrypt certificate in Plesk > Domains > example.com > SSL/TLS Certificates. The following error appears in Plesk UI or may be sent to the user's mailbox:

    CONFIG_TEXT: Could not renew Let's Encrypt certificates for Administrator (login admin). Please log in to Plesk and renew the certificates listed below manually. Renewal of the following Let's Encrypt certificates has failed:
    'Lets Encrypt example.com' [days to expire: 20]
    [-] *.example.com
    [-] example.com
    Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/1234567890.
    Details:
    Type: urn:ietf:params:acme:error:unauthorized
    Status: 403
    Detail: During secondary validation: Incorrect TXT record "hfNt4EcIBmAIrTBR2O7w_eUMhNSfce-ymmZP7IdYChU" found at _acme-challenge.example.com

  • The domain is using a 3rd party DNS provider and several nameservers are responsible for example.com:

For instance:

# dig +short NS example.com
ns1.example.com.
ns2.example.com.

# dig +short ns1.example.com
203.0.113.2

# dig +short ns2.example.com
203.0.113.3

Cause

The domain's nameservers contain different TXT DNS records' values:

# dig +short TXT _acme-challenge.example.com @203.0.113.2
"Yd_C08z8Lu7f3tBPL-3ePtczWllQqAiVhS2PvM_FpuA"
# dig +short TXT _acme-challenge.example.com @203.0.113.3
"hfNt4EcIBmAIrTBR2O7w_eUMhNSfce-ymmZP7IdYChU"

During the challenge, Let's Encrypt randomly chooses one of the nameservers and checks if there is a matching TXT DNS record there. In case the server with the IP address '203.0.113.3 ' is randomly chosen by Let's Encrypt and this server doesn't contain the required TXT DNS record, validation fails and the certificate will not be issued.

Resolution

  1. Log into Plesk.

  2. Install the wildcard certificate for example.com in Domains > example.com > SSL/TLS Certificates.

  3. When the instruction on how to add a DNS record on the external DNS side is provided by the SSL It! extension, update this record to all nameservers.

Note: Alternatively, use Plesk DNS server so the TXT DNS record is added/updated automatically.

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles