Applicable to:
- Plesk for Linux
Symptoms
-
It is not posible to issue or renew Let's Encrypt SSL/TLS certificate. The following error appears in Plesk or in a mail sent to the user's mailbox:
Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.
Authorization for the domain failed.
Details Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/9_fD4pJYnd6o4DNUxbG0WNtYOOm-G6TeHcz8TN1K9f4. Details: Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: Incorrect TXT record "Rq5AN5tnNTHnUNfh2byBWzDZNePjIOcSJDMJYK0ku6A" found at _acme-challenge.example.com -
Plesk is not the master of the zone, external servers are used:
# dig NS example.com +short
ns1.server.com
ns2.server.com -
DNS extension like "Amazon Route 53" is used.
Cause
Local DNS service is stopped in Tools & Settings > Services Management.
If this service is stopped then the TXT record for _acme-challenge will not be generated automatically.
Resolution
-
Start the DNS service in Tools & Settings > Services Management.
-
Go to Domains > example.com > SSL/TLS Certificates
-
Click on Reissue certificate.
-
Once the following image is shown, double check if the TXT record resolves externally. This can be checked via ssh with the command
dig TXT _acme-challenge.example.com +short
: - If it does not resolve, add the record to the external DNS server, removing other existing acme-challenge records from there.
-
Get back to Plesk screen and click Reload button
Comments
3 comments
How to force the "Start to issuing" dialog in step 5, if plesk does not show this? In the e-mail, that tells, the acme challegnde is wrog, only the found wrong content is contained, but how to force to get the current expected in order to update the dns entry (dns servers are not on the same server as plesk resides on)
Kai Eisbrenner in order to get the message again go through the steps once again and Click on Reissue certificate.
i know but what is annoying is that if you're relying on a 3rd party to create the TXT record. the webpage has expired before it can be created. and then you start again with a completely different record..
Please sign in to leave a comment.