Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
Unable to issue a Let's Encrypt certificate for a domain in Plesk, the process fails with the following error message:
Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com
The example.com DNS zone contains an AAAA record, but the domain is not assigned an IPv6 address in Plesk.
To resolve the issue, either assign an IPv6 address to example.com ("Websites & Domains" > "Web Hosting Access") or remove the AAAA record from the example.com DNS zone.
See the related Knowledge Base article for details.
Details
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/qxK-vAPtGYg3YOSEcgZNB7HBd-unn4oX3GLtZWSxVPA.
Details:
Type: urn:acme:error:unauthorized
Status: 403
Cause
Domain resolves to an IPv6 address but the domain is not assigned or does not have an IPv6 in Plesk:
# dig @8.8.8.8 +short -t AAAA example.com
2001:db8:f61:a1ff:0:0:0:80
Resolution
If your server/domain does not support/have IPv6:
- Log in to Plesk
- Go to Domains > example.com > DNS Settings and remove AAAA record
Note: If DNS is not managed by Plesk remove the AAAA record on the external DNS server or registrar side.
If your server/domain resolves to an IPv6 but it is not configured in Plesk:
-
Go to Domains > example.com > Web Hosting Access and assign an IPv6 to the domain.
Note: IPv6 address should exist on network interface and in Tools & Settings > IP Addresses
Note: If you use Cloudflare for DNS management and encounter this issue, refer to the following article:
Let’s Encrypt for domain that uses Cloudflare fails: DNS zone contains an AAAA record but the domain is not assigned an IPv6 address in Plesk
Comments
25 comments
Cannot find solution 1
Marco Burkhardt please double check if you have an AAAA record:
If you do and the domain does not have an IPv6 assigned make sure the AAAA record is removed.
Which part was not found?
Julian Bonpland Mignaquy
Hi Julian,
I cannot find solution 2 either.
How can I assign an IPv6 to the domain. Could you please give me a more detailed explanation? That would be great.
Thank you!
Renzo
Hi Renzo,
DO you see an IPv6 in Tools and Settings > IP Addresses? If you don't that explains why you do not see it in the domain's configuration.
Do you see the IP in the "ip a" command via ssh? If you do, then hit Reread IP in Tools and Settings > IP Addresses.
It may also be possible that IPv6 is not enabled? https://support.plesk.com/hc/en-us/articles/12377462694807-How-to-enable-IPv6-addresses-on-a-Plesk-server-
If this does not help please open a support ticket with us https://support.plesk.com/hc/en-us/articles/12388090147095-How-to-get-support-directly-from-Plesk-
I am getting the same error message, but there is not an AAAA record in the DNS zone. So I cannot remove a non-existent record. Any advice?
Hi Michael Allen, what is the output of "dig @8.8.8.8 +short -t AAAA example.com". Replace example.com with the real domain.
Hi Julian,
I have a problem, I run the dig command and the response is empty, there is no IPv6 assigned.
Enrique GO in that case make sure there is no IPv6 assigned in Domains > example.com > Hosting.
Thanks for the response Julian,
I finally found the problem. Next to the domain I was generating the SSL for 4 other domain aliases. One of them had an AAAA (IPv6) record for a subdomain. The error shown was referring to the main domain instead of the domain alias and that was causing the confusion.
For me was giving the same error and did not have an AAAA record in the DNS zone. So I excluded the website from Cloudflare, installed Cloudflare Plugin on Plesk, exported configs to Cloudflare, and the certificate was issued. (the solution 2 for me as a newbie on Plesk, I did not know how to proceed)
I was going around the AAAA 400 firewall merry go round. Went into Tools & Settings > IP Addresses. Select the IP Address and set the default site to "none". New cert, happy days. I wonder what idiot changed that setting a few months back, when I get my hands on him.... Why yes, I am self employed what of it?
In my case, Cloudflare was blocking let's encrypt. I didn't have to do anything to DNS to resolve this. I changed Cloudflare WAF rules to allow let's encrypt.
Both solutions are useless if the website is hosted elsewhere.
All I need to do is create a certificate for webmail.
Website is hosted elsewhere as is my DNS.
Neither solution will resolve the issue.
Hi Larry, if the website resolves to an ip which is not plesk you will not be able to secure it from Plesk.
HI Larry Nedry, i missed your first message:
Note: Such certificate will not be renewed automatically. Use the above steps for renewing such certificate when its expiration date is close.
I have Domain „A“ setup correctly and get a cert. Then I activate Domain „B“, and letsencrypt tells me, that I have AAAA record for Domain A, but not assigned an IP in Plesk. But everything works when I only have Domain A. Problems arise when I try to include domain B only. What might be important is that my DNS are external, so Plesk/LE cannot change DNS entries.
I’ve tried many scenarios, but don’t find it.
What’s the problem?
Screenshot: domain A=wortbildkoeniginnen.com
domain B=textimagequeens.com and/or wortbildköniginnen.com, I tried both or single, no change.
Hi Mike Monnerie, try removing this IP from your external DNS:
Seems I found the problem: my data center has moved to another location, and while IPv4 stayed the same, it seems they forgot/misconfigured IPv6. I found this website which really tests for IPv6 connections on websites, in case anyone else needs it:
https://www.mythic-beasts.com/ipv6/health-check
And my result is in this picture:
First of all, I use deep translator, I use Plesk, but when I moved the site DNS to Cloudflare, I had a big problem, this process was happening in Cpanel without any effort, anyway I created my own name server on my own server like ns1.my.com and ns2.my.com and it was working fine, when I moved it to Cloudflare, the problems started, there is no IP on the server, there is only IP4 in Plesk Panel, the server DNS configurations are turned off but this problem is not solved,
Translated with DeepL.com (free version)
öncelikle deep translator kullanıyorum, Plesk kullanıyorum ama site DNS lerini ne zaman Cloudflare taşıdım, başıma büyük bir der aldım, bu işlem Cpanelde hiç uğraştırmadan oluyordu, her neyse kenddime ait sunucuda kendime ait ns1.benim.com ve ns2.benim.com gibi name server oluşturdum ve gayet güzel çalışıyordu, ne zaman Cloudflare taşıdım başladı proplemler, sunucuda IP yok Plesk Panelde sadece IP4 mevcut, sunuc DNS yapılandırmaları kapalı ama bu problem cözümlenmedi,
Mehmet ALTINIŞIK could you please provide more detailed errors? You mentioned there is no IP on the server. Is this an error you get in Cloudflare or in PLesk.
I would recommend opening a support ticket with us in order to get to the bottom of this: https://support.plesk.com/hc/en-us/articles/12388090147095-How-to-get-support-directly-from-Plesk#:~:text=Login%20to%20Plesk%20support%20ticket,form%20%3E%20choose%20Technical%20Support%20Request.&text=If%20the%20license%20was%20purchased,will%20see%20the%20warning%20below.
For your info, I had this error while and IPv6 was properly assigned, and properly responding in DNS, and I was able to access the website using IPv6.
The problem was, after a migration, I forgot to migrate the DNS zone for the alias, and it was still pointing the old server.
Therefore the error message was incorrectly reporting a problem on the main domain's AAAA, while the problem was on the alias. Plesk could handle this specific case in a better way. Would have saved me (and others likely many times) 15 mins. :)
Hi Robin Labadie we have that reported as bug ID EXTSSLIT-1875 which will be fixed in future updates.
Hi,
If anyone use CloudFlare and have that error the solution it's here> https://support.plesk.com/hc/en-us/articles/19574750125463/comments/28198333522711
Hi Marcos Mansueti thank you, yes it is mentioned in the article as well:
Note: If you use Cloudflare for DNS management and encounter this issue, refer to the following article:
Let’s Encrypt for domain that uses Cloudflare fails: DNS zone contains an AAAA record but the domain is not assigned an IPv6 address in Plesk
Please sign in to leave a comment.