Articles in this section

See more

Unable to issue Let’s Encrypt certificate for domain in Plesk for Windows: misconfiguration of the Common Challenge Directory

Avatar
Taras Ermoshin
Updated
kb: technical ext: le Plesk Obsidian for Windows

Applicable to:

  • Plesk Obsidian for Windows

Symptoms

  • On a Windows server, Plesk Obsidian 18.0.26 or newer is installed.

  • Issuing a Let’s Encrypt certificate in the menu Domains > example.com > SSL/TLS Certificates > Install > Get it free fails:

    CONFIG_TEXT: Could not access the following file or directory: 'C:\Program Files (x86)\Plesk\var\acme-challenge/web.config'.
    Please make sure that the domain's system user has read and write access to this file or directory.

    CONFIG_TEXT: The authorization token is not available at http://example.com/.well-known/acme-challenge/qgU4e7ba4V7Tk69t4hYIYm09LJHktMaJIhPIngrOYFM.
    To resolve the issue, make sure that the token file can be downloaded via the above URL.

  • The following messages can be found in the log file %plesk_dir%admin\logs\php_error.log with the debug mode enabled:

    CONFIG_TEXT: DEBUG [extension/sslit] Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/5298134528.<br>
    Details:<br>
    Type: urn:ietf:params:acme:error:unauthorized<br>
    Status: 403<br>
    Detail: Invalid response from http://example.com/.well-known/acme-challenge/ABCdE012_DRzM2ChDDWcqHwjZ5FORmnopq543210XYZ
    [203.0.113.2]: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\r\n<html
    xmlns="http"<br>
    INFO [extension/sslit] The count of the notifications which are waiting
    to be sent: 143.

  • Unable to secure (renew) Plesk interface with Let's Encrypt certificate in the menu Tools & Settings > SSL/TLS Certificates > Let's Encrypt:

    PLESK_ERROR: Could not request a Let's Encrypt SSL/TLS certificate for hostname.com
    Go to http://hostname.com/.well-known/acme-challenge/HNYz-pKf-JtRgX-1gIFl2VrK2inUQs2uwIPWJuYnN3g and сheck if the authorization token is available.
    If it is, try to request the certificate again. If the token is not available, there may be an issue with your DNS configuration.
    Your domain in Plesk is hosted on the IP address(es): , but the DNS challenge used another IP: 203.0.113.2

Cause

The misconfiguration of the Common Challenge Directory.

Next time issue happen, create 3rdline to identify root cause

Resolution

Apply the following steps:

Click here to expand

  1. Connect to the server via RDP.

  2. Go to IIS > Sites > Find the Default Web Site site > If it does not exist, create it by clicking on Add Website... > Configure it as follows > Click OK:

    • Site name: Default Web Site

    • Application pool: DefaultAppPool

    • Physical path: %plesk_vhosts%default\htdocs

    • Binding type: http

    • IP address: All Unassigned

    • Port: 80

    • Hostname: <EMPTY>

    • Start Website immediately: Enabled

  3. Go to IIS > Sites > Find the acme-challenge site > If it exists, delete it by doing right-click on it and click on Remove.

  4. Copy the file %plesk_dir%etc\acme-challenge.config to the folder %plesk_dir%var\acme-challenge.

  5. Rename the file %plesk_dir%var\acme-challenge\acme-challenge.config to %plesk_dir%var\acme-challenge\web.config.

  6. Start a command prompt as Administrator.

  7. Restore the acme-challenge site:

    C:\> plesk sbin websrvmng --add-acme-challenge-site --configure-proxy

  8. Run the command below to set the correct permissions for the Common Challenge Directory:

    C:\> plesk repair --directory-permissions -directory "%plesk_dir%var"

  9. Disable and re-enable Common Challenge Directory:

    C:\> plesk ext sslit --common-challenge-dir -disable

    C:\> plesk ext sslit --common-challenge-dir -enable

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles