Articles in this section

See more

Unable to issue or renew Let's Encrypt certificate in Plesk when external DNS server is used: Incorrect TXT record

Avatar
Julian Bonpland Mignaquy
Updated
Follow
Plesk for Linux kb: technical ext: le ABT: Group B

Applicable to:

  • Plesk for Linux

Symptoms

  • It is not posible to issue or renew Let's Encrypt SSL/TLS certificate. The following error appears in Plesk or in a mail sent to the user's mailbox:

    Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.
    Authorization for the domain failed.
    Details Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/9_fD4pJYnd6o4DNUxbG0WNtYOOm-G6TeHcz8TN1K9f4. Details: Type: urn:ietf:params:acme:error:unauthorized
    Status: 403
    Detail: Incorrect TXT record "Rq5AN5tnNTHnUNfh2byBWzDZNePjIOcSJDMJYK0ku6A" found at _acme-challenge.example.com

  • Plesk is not the master of the zone, external servers are used:

    # dig NS example.com +short
    ns1.server.com
    ns2.server.com

  • DNS extension like "Amazon Route 53" is used.

Cause

Local DNS service is stopped in Tools & Settings > Services Management.
If this service is stopped then the TXT record for _acme-challenge will not be generated automatically.

Resolution

  1. Log into Plesk

  2. Start the DNS service in Tools & Settings > Services Management.

  3. Go to Domains > example.com > SSL/TLS Certificates

  4. Click on Reissue certificate.

  5. Once the following image is shown, double check if the TXT record resolves externally. This can be checked via ssh with the command dig TXT _acme-challenge.example.com +short:
    Click Install

  6. If it does not resolve, add the record to the external DNS server, removing other existing acme-challenge records from there.

  7. Get back to Plesk screen and click Reload button

Comments

3 comments

Sort by Date Votes
  • Avatar
    Kai Eisbrenner

    How to force the "Start to issuing" dialog in step 5, if plesk does not show this? In the e-mail, that tells, the acme challegnde is wrog, only the found wrong content is contained, but how to force to get the current expected in order to update the dns entry (dns servers are not on the same server as plesk resides on)

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    Kai Eisbrenner in order to get the message again go through the steps once again and Click on Reissue certificate.

     

    1
    Comment actions Permalink
  • Avatar
    Maarten Westera

    i know but what is annoying is that if you're relying on a 3rd party to create the TXT record. the webpage has expired before it can be created. and then you start again with a completely different record..

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles