Articles in this section

Cannot install Let's Encrypt certificate in Plesk: During secondary validation: DNS problem: query timed out

Daniel Yordanov
Updated
Plesk for Windows Plesk for Linux kb: technical ext: le kb: auxiliary

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Symptoms

  • The domain is marked as partially secured or not secured in Domains > example.com > SSL / TLS Certificates.

  • The message below is received by the Plesk administrator via email:

    CONFIG_TEXT: The following Let`s Encrypt certificates have been renewed without some of their Subject Alternative Names:
    'Lets Encrypt example.com'
    [+] example.com
    [-] www.example.com 
    Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/1112223333. 
    Details: Type: urn:ietf:params:acme:error:dns
    Status: 400
    Detail: During secondary validation:
    DNS problem: query timed out looking up CAA for example.com

  • One of the following errors can be found in /var/log/plesk/panel.log on Linux servers:

    CONFIG_TEXT: ERR [extension/letsencrypt] Domain validation failed for www.example.com: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/1112223333.
    Details:
    Type: urn:ietf:params:acme:error:dns
    Status: 400

    CONFIG_TEXT: Error issuing certificate for www.example.com
    Details:
    Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/342909671710.
    Details:
    Type: urn:ietf:params:acme:error:connection
    Status: 400
    Detail: During secondary validation: 203.0.113.2: Fetching https://www.example.com/.well-known/acme-challenge/Sl5Av8OHLK9dpsdIyrFE7qJOOpRanx3NZYe_Sbbm-MX: Connection refused

  • Or in %plesk_dir%\admin\logs\php_error.log on Windows servers:

    CONFIG_TEXT: ERR [extension/letsencrypt] Domain validation failed for example.com: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/1112223333.
    Details:
    Type: urn:ietf:params:acme:error:dns
    Status: 400
    Detail: During secondary validation: DNS problem: query timed out looking up A for example.com

Cause

Let's Encrypt servers are not able to connect to the DNS server that contains the primary DNS zone of the affected domain over the TCP and UDP port 53 under certain conditions due to firewall or similar security restrictions (Fail2Ban is often the culprit).

Resolution

Check and make sure that there are no traffic blocking or limiting rules for the TCP and UDP port 53 of any firewalls that are tied to your Plesk server.

Alternatively, If an external DNS zone is used as the primary zone of the affected domains, contact the NS provider to clarify if traffic limitations for TCP and UDP ports 53 on their end exist, because such limitations are the most likely cause for such issues.

To inspect fail2ban banned addresses, use the article below:

Where can I check which IP addresses are banned or blacklisted by Plesk?

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.