Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
-
Issuing or renewing a Let's Encrypt certificate fails with an error that is similar to the following:
PLESK_ERROR: DNS zone contains an AAAA record, but the domain is not assigned an IPv6 address in Plesk.
-
The affected domain is using Cloudflare nameservers
- The affected domain does not have an IPv6 assigned in Plesk > Domains > example.com > Hosting & DNS > Hosting > IP addresses section, because an IPv6 address is simply not assigned to the entire server at Plesk > Tools & Settings > IP addresses
-
An IPv6 can be resolved while checking against the site:
# dig AAAA example.com +short
2606:4700:3037::6818:70ce
2606:4700:3031::6818:71ce
Cause
The SSL/TLS encryption mode for the domains on the side of Cloudflare is set to something other than Full (strict) and this causes the Let's Encrypt validation process to fail, which is expected.
In order or things to work properly, the SSL/TLS encryption mode for any domains that use Cloudflare nameservers should always be set to Full (strict) when their website content resides on a Plesk server, because that way only the SSL that is installed on the Plesk server is used.
This is a confirmed point for improvement with ID #EXTSSLIT-2120
Progress related to it can be tracked via the Change Log for Plesk Obsidian
Resolution
In order to resolve the errors, you must change the SSL mode for the domain on the side of Cloudflare, which can be done by following these steps:
1. Log into your Cloudflare.com account
2. Go to example.com > SSL/TLS and change the SSL mode to Full (strict).
-
As an alternative, you can disable Permanent SEO-safe 301 redirect from HTTP to HTTPS at Domains > example.com > Hosting & DNS > Hosting
-
If the above solution didn't work, the customer might have a high level protection mode enabled in Cloudflare like Under Attack mode.
It may be worthy to check this article:
Comments
4 comments
Ditto… changing to Full (strict) does not change the outcome - still failing with:
There are no AAAA records listed in the DNS configuration with Cloudflare, but they do resolve.
It is also not possible to disable IPv6 with Cloudflare in the meantime.
I am on Full (Strict) for over a year without any problem, but the latest renewals keep failing.
Also the same issue, and enabling strict mode does not solve it (it shouldn't matter anyway because it's not in proxy mode). I also do have an ipv6 address assigned to the domain in plesk.. So I really don't understand why there is this error
Even deleting the AAAA record in cloudflare does not solve the issue
Okay it turns out that this error message is just bugged and appears no matter what the real underlying error is, which is very misleading
To get the error from lets encrypt you need to click on “+ details” on that error message
The AAAA DNS record error it's because remember that may be you don't have the AAAA record on your DNS but CF yes on SOA zone.
If you want to generate a Let's Encrypt free SSL on Plesk but the domain SOA it's on CloudFlare, the solution for this it's disable temporary proxy in @ and www records, turning off cloud icon.
Wait 60 seconds. TTL
Go to Plesk generate Let's Encrypt, and them Plesk will show you the acme-challenge value for DNS. Copy and paste to apply the new value on CloudFlare.
Wait 60 seconds
Go to Plesk window again and press Continue. The new SSL cert will works now.
Go to CloudFlare and turn on again the cloud icon in @ and www records.
Remember that SSL Mode on CloudFlare must be strict.
You must do this every three months.
Please sign in to leave a comment.