Applicable to:
- Plesk for Windows
The general situation suggests that custom manual configurations in IIS are making the common challenge directory setting in Plesk obsolete and are subsequently generating this issue. Due to this, creating a 3rd line for additional investigation into what exactly that is for each separate case may be helpful if the customer insists on keeping the Plesk common challenge directory setting enabled for other reasons
Symptoms
-
Unable to issue Lets Encrypt certificate, or certificate renewal fails with the following error in
%plesk_dir%admin\logs\php_error.logERR [extension/letsencrypt] Domain validation failed for example.com: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/2284063346/581606700311
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: 203.0.113.2: Fetching http://www.acme-challenge.localhost/.well-known/acme-challenge/Hqdq0qDw7z5lxbHj5dFGYMvv5qh82_BQAC_dJfKrZtM: Invalid host in redirect target, must end in IANA registered TLD - When a
test.txtfile is created within the.well-known/acme-challengewebsite subdirectory and we browse the URL https://example.com/.well-known/acme-challenge/test.txt, we can see the errorPR_CONNECT_RESET_ERRORand the URL changes automatically to https://acme-challenge.localhost/.well-known/acme-challenge/test.txt -
The following rewrite rule is present in
C:\Windows\System32\inetsrv\config\applicationHost.config<rewrite>
<globalRules>
<rule name="acme-challenge" stopProcessing="true">
<match url="^.well-known/acme-challenge/(.+)$" />
<conditions>
<add input="{HTTPS}" matchType="Pattern" pattern="OFF" ignoreCase="true" negate="false" />
</conditions>
<serverVariables>
<set name="HTTP_HOST" value="acme-challenge.localhost" />
</serverVariables>
<action type="Rewrite" url="http://127.0.0.1/{R:1}" />
</rule>
</globalRules>
</rewrite> -
The common challenge directory feature of the SSL It! extension is enabled on the Plesk server:
plesk ext sslit --common-challenge-dir -info
- Available: true
- Enabled: true
Cause
All requests to files residing within the example.com/.well-known/acme-challenge/ directory are being redirected to https://acme-challenge.localhost/.well-known/acme-challenge/, which is a hostname-based URL that does not contain a IANA registered TLD and the Let's Encrypt servers do not accept such a URL as legitimate.
Resolution
To resolve the issue, you should disable the common challenge directory function of the SSL It! extension by following these steps:
Note: This configuration may be overwritten after some Plesk version updates
- Connect to the server via RDP
- Start a command prompt as Administrator
-
Disable the common challenge directory function of the SSL It! extension by executing this command:
C:\> plesk ext sslit --common-challenge-dir -disable
This will make the requests from the Let's Encrypt servers reach the domain's own ACME challenge directory and the URL will therefore be considered as legitimate during the SSL issuing process.
If above solution doesn't work you may try commenting out rewrite rule in applicationHost.config file like:
<!-- <rewrite>
<globalRules>
<rule name="acme-challenge" stopProcessing="true">
<match url="^.well-known/acme-challenge/(.+)$" />
<conditions>
<add input="{HTTPS}" matchType="Pattern" pattern="OFF" ignoreCase="true" negate="false" />
</conditions>
<serverVariables>
<set name="HTTP_HOST" value="acme-challenge.localhost" />
</serverVariables>
<action type="Rewrite" url="http://127.0.0.1/{R:1}" />
</rule>
</globalRules>
</rewrite> -->
After that, restart IIS with iisreset in CMD
Comments
Please sign in to leave a comment.