Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
-
Issuing or renewing a Let's Encrypt certificate fails with an error that is similar to the following:
PLESK_ERROR: DNS zone contains an AAAA record, but the domain is not assigned an IPv6 address in Plesk.
-
The affected domain is using Cloudflare nameservers
- The affected domain does not have an IPv6 assigned in Plesk > Domains > example.com > Hosting & DNS > Hosting > IP addresses section, because an IPv6 address is simply not assigned to the entire server at Plesk > Tools & Settings > IP addresses
-
An IPv6 can be resolved while checking against the site:
# dig AAAA example.com +short
2606:4700:3037::6818:70ce
2606:4700:3031::6818:71ce
Cause
The SSL/TLS encryption mode for the domains on the side of Cloudflare is set to something other than Full (strict) and this causes the Let's Encrypt validation process to fail, which is expected.
In order for things to work properly, the SSL/TLS encryption mode for any domains that use Cloudflare nameservers should always be set to Full (strict) when their website content resides on a Plesk server, because that way only the SSL that is installed on the Plesk server is used.
This is a confirmed point for improvement with ID #EXTSSLIT-2120
Progress related to it can be tracked via the Change Log for Plesk Obsidian
Resolution
In order to resolve the errors, the SSL mode for the domain should be changed on the Cloudflare side:
1. Log into Cloudflare.com
2. Go to example.com > SSL/TLS and change the SSL mode to Full (strict).
-
As an alternative, disable Permanent SEO-safe 301 redirect from HTTP to HTTPS at Domains > example.com > Hosting & DNS > Hosting
-
If the above solution didn't work, a high level protection mode may be enabled in Cloudflare like Under Attack mode.
It may be worthy to check this article:
Comments
Ditto… changing to Full (strict) does not change the outcome - still failing with:
There are no AAAA records listed in the DNS configuration with Cloudflare, but they do resolve.
It is also not possible to disable IPv6 with Cloudflare in the meantime.
I am on Full (Strict) for over a year without any problem, but the latest renewals keep failing.
Also the same issue, and enabling strict mode does not solve it (it shouldn't matter anyway because it's not in proxy mode). I also do have an ipv6 address assigned to the domain in plesk.. So I really don't understand why there is this error
Even deleting the AAAA record in cloudflare does not solve the issue
Okay it turns out that this error message is just bugged and appears no matter what the real underlying error is, which is very misleading
To get the error from lets encrypt you need to click on “+ details” on that error message
The AAAA DNS record error it's because remember that may be you don't have the AAAA record on your DNS but CF yes on SOA zone.
If you want to generate a Let's Encrypt free SSL on Plesk but the domain SOA it's on CloudFlare, the solution for this it's disable temporary proxy in @ and www records, turning off cloud icon.
Wait 60 seconds. TTL
Go to Plesk generate Let's Encrypt, and them Plesk will show you the acme-challenge value for DNS. Copy and paste to apply the new value on CloudFlare.
Wait 60 seconds
Go to Plesk window again and press Continue. The new SSL cert will works now.
Go to CloudFlare and turn on again the cloud icon in @ and www records.
Remember that SSL Mode on CloudFlare must be strict.
You must do this every three months.
In addition to changing Cloudflare SSL to Full (Strict) I had to turn off DNS Proxies.
If you have Cloudflare you must disable proxy before genrate new sll
Just ran into this issue today and discovered the response above from Marcos. That's the exact solution needed. It seems that in the proxy process through Cloudflare, the @ (domain.ext) and www, the use of IPv6 is operating. Turn off the proxy on those and retry with Plesk. Then once the SSL is issued, re-enable.
Please sign in to leave a comment.