Applicable to:
- Plesk for Linux
Symptoms
-
It is not posible to issue or renew Let's Encrypt SSL/TLS certificate. The following error appears in Plesk or in a mail sent to the user's mailbox:
Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.
Authorization for the domain failed.
Details Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/9_fD4pJYnd6o4DNUxbG0WNtYOOm-G6TeHcz8TN1K9f4. Details: Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: Incorrect TXT record "Rq5AN5tnNTHnUNfh2byBWzDZNePjIOcSJDMJYK0ku6A" found at _acme-challenge.example.com -
Plesk is not the master of the zone, external servers are used:
# dig NS example.com +short
ns1.server.com
ns2.server.com -
DNS extension like "Amazon Route 53" is used.
Cause
Local DNS service is stopped in Tools & Settings > Services Management.
If this service is stopped then the TXT record for _acme-challenge will not be generated automatically.
Resolution
-
Start the DNS service in Tools & Settings > Services Management.
-
Go to Domains > example.com > SSL/TLS Certificates
-
Click on Reissue certificate.
-
Once the following image is shown, double check if the TXT record resolves externally. This can be checked via ssh with the command
dig TXT _acme-challenge.example.com +short
: - If it does not resolve, add the record to the external DNS server, removing other existing acme-challenge records from there.
-
Get back to Plesk screen and click Reload button
Comments
8 comments
Kai Eisbrenner in order to get the message again go through the steps once again and Click on Reissue certificate.
How to force the "Start to issuing" dialog in step 5, if plesk does not show this? In the e-mail, that tells, the acme challegnde is wrog, only the found wrong content is contained, but how to force to get the current expected in order to update the dns entry (dns servers are not on the same server as plesk resides on)
i know but what is annoying is that if you're relying on a 3rd party to create the TXT record. the webpage has expired before it can be created. and then you start again with a completely different record..
I have come across this problem several times as many Plesk installations are single nodes and therefore dont have multiple DNS servers
The 'fix' we have come up with is to request/renew the certificate via CLI
So, for mydomain.com
plesk bin extension --exec letsencrypt cli.php --webroot-path /var/www/vhosts/mydomain.com/httpdocs -d mydomain.com -d webmail.mydomain.com -d www.mydomain.com -m email@mydomain.com
This negates the issue with DNS transfer timeouts
there is no button "Reissue certificate"
- the isue was a firewall blocking.
i would like to know which ports are need to lets encrypt generate a new SSL?
Hi Felipe Santos i think this article is more suited for your scenario 12377378667287-Unable-to-issue-Let-s-Encrypt-certificate-in-Plesk-Timeout-during-connect-likely-firewall-problem-OR-Error-getting-validation-data
Your "guide" fails to explain when plesk choses DNS acme plugin, and when it choses http acme plugin. I never even get the Start to issuing dialog with the acme_challenge, just like Kai Eisbrenner which you failed to understand as well. (Just like me Kai never gets the prompt to validate the Acme_chalenge, because his plesk is using the http acme plugin.) Instead my plesk just uses DNS for one website, and HTTP for the other. Even just newly created sites are sometimes unable to request an certificate because plesk chooses things without giving me the possibility to force anything.
Also another thing, the Plesk Published Cloudflare plugin is supposed to force acme_challenges for sites using cloudflare, this seems to work for random domains as well.
Hi Marlon, if you wish to see the screenshot from step 5 just navigate to Domains > example.com > SSL certificates > Reissue certificate > Lets Encrypt and make sure Wildcard is selected. (the path may change)
Please sign in to leave a comment.