Could not issue a Let's Encrypt certificate: DNS zone contains an AAAA record, but the domain is not assigned an IPv6 address in Plesk

Follow

Comments

19 comments

  • Avatar
    Marco Burkhardt

    Cannot find solution 1

     

    1
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    Marco Burkhardt please double check if you have an AAAA record:

    dig @8.8.8.8 +short -t AAAA example.com

    If you do and the domain does not have an IPv6 assigned make sure the AAAA record is removed.

    Which part was not found?

    0
    Comment actions Permalink
  • Avatar
    Renzo Witt

    Julian Bonpland Mignaquy

    Hi Julian,

    I cannot find solution 2 either.

    How can I assign an IPv6 to the domain. Could you please give me a more detailed explanation? That would be great.

    Thank you!

    Renzo

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    Hi Renzo,

    DO you see an IPv6 in Tools and Settings > IP Addresses? If you don't that explains why you do not see it in the domain's configuration.

    Do you see the IP in the "ip a" command via ssh? If you do, then hit Reread IP in Tools and Settings > IP Addresses.

     

    It may also be possible that IPv6 is not enabled? https://support.plesk.com/hc/en-us/articles/12377462694807-How-to-enable-IPv6-addresses-on-a-Plesk-server-

    If this does not help please open a support ticket with us https://support.plesk.com/hc/en-us/articles/12388090147095-How-to-get-support-directly-from-Plesk-

    0
    Comment actions Permalink
  • Avatar
    Michael Allen

    I am getting the same error message, but there is not an AAAA record in the DNS zone. So I cannot remove a non-existent record. Any advice?

    1
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    Hi Michael Allen, what is the output of "dig @8.8.8.8 +short -t AAAA example.com". Replace example.com with the real domain.

    0
    Comment actions Permalink
  • Avatar
    Enrique GO

    Hi Julian,

    I have a problem, I run the dig command and the response is empty, there is no IPv6 assigned.

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    Enrique GO in that case make sure there is no IPv6 assigned in Domains > example.com > Hosting.

    0
    Comment actions Permalink
  • Avatar
    Enrique GO

    Thanks for the response Julian,

    I finally found the problem. Next to the domain I was generating the SSL for 4 other domain aliases. One of them had an AAAA (IPv6) record for a subdomain. The error shown was referring to the main domain instead of the domain alias and that was causing the confusion.

    1
    Comment actions Permalink
  • Avatar
    Bruno Redondo

    For me was giving the same error and did not have an AAAA record in the DNS zone. So I excluded the website from Cloudflare, installed Cloudflare Plugin on Plesk, exported configs to Cloudflare, and the certificate was issued. (the solution 2 for me as a newbie on Plesk, I did not know how to proceed)

    0
    Comment actions Permalink
  • Avatar
    Info

    I was going around the AAAA 400 firewall merry go round. Went into Tools & Settings > IP Addresses. Select the IP Address and set the default site to "none". New cert, happy days. I wonder what idiot changed that setting a few months back, when I get my hands on him.... Why yes, I am self employed what of it?

    0
    Comment actions Permalink
  • Avatar
    Aaron K (Edited )

    In my case, Cloudflare was blocking let's encrypt. I didn't have to do anything to DNS to resolve this. I changed Cloudflare WAF rules to allow let's encrypt.

    0
    Comment actions Permalink
  • Avatar
    Larry Nedry (Edited )

    Both solutions are useless if the website is hosted elsewhere.

    All I need to do is create a certificate for webmail.

    1
    Comment actions Permalink
  • Avatar
    Larry Nedry

    Website is hosted elsewhere as is my DNS.

    Neither solution will resolve the issue.

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    Hi Larry, if the website resolves to an ip which is not plesk you will not be able to secure it from Plesk.

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    HI Larry Nedry, i missed your first message:

    All I need to do is create a certificate for webmail.

    Please proceed as follows:
    If the main domain in Plesk has the hosting type Website.
    1. Set Webmail to "None" in Domains > example.com > Mail > Mail settings
    2. Create a subdomain webmail.example.com in Subscriptions > example.com > Add Subdomain.
    3. Issue a Let's Encrypt certificate for it in Domains > webmail.example.com > Let's Encrypt.
    4. Secure the webmail with this certificate in Domains > example.com > Mail > Mail Settings > SSL/TLS certificate for webmail.
    5. Delete the subdomain webmail.example.com in Domains > webmail.example.com > Remove Subdomain.

    Note: Such certificate will not be renewed automatically. Use the above steps for renewing such certificate when its expiration date is close.

    0
    Comment actions Permalink
  • Avatar
    Mike Monnerie (Edited )

    I have Domain „A“ setup correctly and get a cert. Then I activate Domain „B“, and letsencrypt tells me, that I have AAAA record for Domain A, but not assigned an IP in Plesk. But everything works when I only have Domain A. Problems arise when I try to include domain B only. What might be important is that my DNS are external, so Plesk/LE cannot change DNS entries.

    I’ve tried many scenarios, but don’t find it.
    What’s the problem?

    Screenshot: domain A=wortbildkoeniginnen.com
    domain B=textimagequeens.com and/or wortbildköniginnen.com, I tried both or single, no change.

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    Hi Mike Monnerie, try removing this IP from your external DNS:

    dig +short textimagequeens.com AAAA
    2a02:c207:2068:4753::2abc
    0
    Comment actions Permalink
  • Avatar
    Mike Monnerie (Edited )

    Seems I found the problem: my data center has moved to another location, and while IPv4 stayed the same, it seems they forgot/misconfigured IPv6. I found this website which really tests for IPv6 connections on websites, in case anyone else needs it:
    https://www.mythic-beasts.com/ipv6/health-check

    And my result is in this picture:

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request