Articles in this section

Unable to issue a Let's Encrypt certificate for a domain or its mail in Plesk: the DNS challenge used another IP address

Kuzma Ivanov
Updated
Plesk for Windows Plesk for Linux kb: technical ext: le ABT: Group A

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Symptoms

Let's Encrypt fails to secure a domain or its webmail with a certificate at Domains > example.com > Let's Encrypt because of IP address mismatch:

  • over IPv4

    PLESK_ERROR: Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Your domain in Plesk is hosted on the IP address(es): 203.0.113.2, but the DNS challenge used another IP address: 203.0.113.10. Please check the actual DNS zone of your domain and make sure that the IP addresses in the DNS zone and for the hosting are the same.

  • over IPv6

    PLESK_ERROR: Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Your domain in Plesk is hosted on the IP address(es): 203.0.113.2 2001:db8:f61:a1ff:0:0:0:80, but the DNS challenge used another IP address: 2001:db8:f61:a1ff:0:0:0:90. Please check the actual DNS zone of your domain and make sure that the IP addresses in the DNS zone and for the hosting are the same

Cause

DNS misconfiguration: The domain IP address configured in Plesk at Domains > example.com > Web Hosting Access differs from the IP address to which the domain/webmail/www-subdomain resolves globally. Use the nslookup utility (available on Linux and Windows) to find actual (global) IP address of the domain:

C:\> nslookup example.com 8.8.8.8
Server: google-public-dns-a.google.com
Address: 10.55.253.101

Non-authoritative answer:
Name: example.com
Addresses: 2001:db8:f61:a1ff:0:0:0:90
203.0.113.10

It is not possible to secure a domain with "www" subdomain or webmail included, if "www" subdomain or webmail resolves to a different IP address.

Resolution

Apply one of the following solutions:

Solution I: Change the IP address in Plesk

  1. Log in to Plesk.
  2. Go to Domains > example.com > Dashboard tab > Web Hosting Access.
  3. Change the IP address for the A record to the global IP address.

  4. Go to Domains > example.com > DNS Settings and make sure global IP address is shown for the A record.

     

Solution II: Change the IP address on registrar side

Change the IP address for the A record on the registrar's side to the one which is specified in Plesk. Note that a DNS change can take up to 24-48 hours to propagate globally.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.