Articles in this section

See more

Unable to issue or renew Let's Encrypt certificate in Plesk when external DNS server is used: Incorrect TXT record

Avatar
Julian Bonpland Mignaquy
Updated
Follow
Plesk for Linux kb: technical ext: le ABT: Group B

Applicable to:

  • Plesk for Linux

Symptoms

  • It is not posible to issue or renew Let's Encrypt SSL/TLS certificate. The following error appears in Plesk or in a mail sent to the user's mailbox:

    Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.
    Authorization for the domain failed.
    Details Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/9_fD4pJYnd6o4DNUxbG0WNtYOOm-G6TeHcz8TN1K9f4. Details: Type: urn:ietf:params:acme:error:unauthorized
    Status: 403
    Detail: Incorrect TXT record "Rq5AN5tnNTHnUNfh2byBWzDZNePjIOcSJDMJYK0ku6A" found at _acme-challenge.example.com

  • Plesk is not the master of the zone, external servers are used:

    # dig NS example.com +short
    ns1.server.com
    ns2.server.com

  • DNS extension like "Amazon Route 53" is used.

Cause

Local DNS service is stopped in Tools & Settings > Services Management.
If this service is stopped then the TXT record for _acme-challenge will not be generated automatically.

Resolution

  1. Log into Plesk

  2. Start the DNS service in Tools & Settings > Services Management.

  3. Go to Domains > example.com > SSL/TLS Certificates

  4. Click on Reissue certificate.

  5. Once the following image is shown, double check if the TXT record resolves externally. This can be checked via ssh with the command dig TXT _acme-challenge.example.com +short:
    Click Install

  6. If it does not resolve, add the record to the external DNS server, removing other existing acme-challenge records from there.

  7. Get back to Plesk screen and click Reload button

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles