Articles in this section

See more

Unable to issue Let's Encrypt certificate in Plesk for a domain inside a Docker container: Invalid response from example.com, 403 Unauthorized

Avatar
Julian Bonpland Mignaquy
Updated
Follow

Applicable to:

  • Plesk Onyx for Linux

Symptoms

  • Domain example.com has a Proxy rule for a Docker application configured in Domains > example.com > Docker Proxy Rules

  • On attempt to install Let's Encrypt certificate in Domains > example.com > Let's Encrypt > Install the following error is shown in Plesk:

    PLESK_ERROR: The authorization token is not available at https://example.com/.well-known/acme-challenge/39lkQPqRlUmgdiFIv7cVDOYa_wHqqulMjM-Mk3CLwh4.
    To resolve the issue, make it is possible to download the token file via the above URL.
    See the related Knowledge Base article for details.
    Details
    Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/abcdefgijkmnopqrtuvwxyz.
    Details:
    Type: urn:acme:error:unauthorized
    Status: 403
    Detail: Invalid response from http://example.com/.well-known/acme-challenge/39lkQPqRlUmgdiFIv7cVDOYa_wHqqulMjM-Mk3CLwh4: "<!DOCTYPE html>

Cause

This is a bug in Let's Encrypt extension with ID EXTLETSENC-11. Let's Encrypt authorization requests are proxied inside to the Docker container.

Resolution

As a workaround:

  1. Log in to Plesk GUI.

  2. Go to Domains > example.com > Apache & nginx Settings >Disable Proxy Mode > OK.

  3. Go to Domains > example.com > Docker Proxy Rules > Configure Docker Proxy rule according to the port used by the Docker container > OK.

  4. Go to Domains > example.com > Apache & nginx Settings.

  5. Add the following directives in Additional nginx directives:

    CONFIG_TEXT: location ^~ /.well-known/ {}

  6. Click OK.

  7. Issue the Let's Encrypt certificate again.

Additional information

Unable to install Let's Encrypt SSL on a domain with multiple IPs: 403 Invalid response from

Comments

11 comments

Sort by Date Votes
  • Avatar
    Elias Soares
    While plesk team don't fix the issue, that's the workarround
     
    Find this block on your domain's generated config file (somewhere inside /etc/nginx/plesk.conf.d/)
     
            #extension letsencrypt begin
            location /.well-known/acme-challenge/ {
                    root /var/www/vhosts/default/htdocs;
                    types { }
                    default_type text/plain;
                    satisfy any;
                    auth_basic off;
                    allow all;
                    location ~ ^/\.well-known/acme-challenge.*/\. {
                            deny all;
                    }
            }
            #extension letsencrypt end
     
    Changing the location line to this fixes the issue:
     
            location ^~ /.well-known/acme-challenge/ {
     
    Then if you guys want to fix it, just update this template in letsencrypt extension.
     
    0
    Permalink
  • Avatar
    Alexandr Redikultsev

    Hello, @Elias Soares!

    Thank you very much for your effort and input.

    As our development team informed you in scope of the ticket you submitted, the issue should be already fixed by now.

    In case it is not true for you, do not hesitate to contact us back in scope of the ticket.

    -2
    Permalink
  • Avatar
    Stefan Bättig

    Hello Alexander

    The issue is not resolved in the version 17.8.11.

    The workarround with the additonal nginx-directive doesn't work: it gives still the error message "The authorization token is not available ...."

    But the solution from @Elias worked, but the the conf-files should not be modifed, and the changes go lost, after the files would be generated.

    0
    Permalink
  • Avatar
    Sebastian Thomas

    You also need to make sure Proxymode is unchecked under Domains > example.com > Apache & nginx Settings

    0
    Permalink
  • Avatar
    Alexandr Redikultsev

    Hi @Stefan Bättig,

    I have just double-checked that thoroughly: you are right, it appears that common directory rewrite rules for nginx are conflicting in case proxy mode is enabled, so the bug is indeed actual.

    I let our development team know about that, so hopefully it will be fixed soon!

     

    Dear @Sebastian Thomas,

    Thank you very much for the input, indeed: with disabled proxy mode it is working out of the box.

    0
    Permalink
  • Avatar
    Unknown User

    I try those workaround, but it's not working on my server.

    The best way I find to do this is to remove the docker proxy rule from "/", renew certificate and create a new proxy rule.
    Maybe plesk team have to set a rule somewhere on the proxy system to not proxy  ".well-know"

    0
    Permalink
  • Avatar
    Ivan Postnikov

    Hello @Jérémy,

    Thank you for sharing your user experience.

    After the bug will be resolved, the article will be updated with the corresponding information.

    > I try those workaround, but it's not working on my server.

    There is a possibility that there may be some difference on your server.
    I can suggest submitting a ticket to us or to our partner depending on where Plesk license was purchased from.

    0
    Permalink
  • Avatar
    Stefan Hamann (Edited )

    Hab das gleiche problem seit ca 1 Woche, irged so ein Pleskupdate hat da was verbockt.

    hab halt leider ein Certifikat kaufen müssen! leider.

    letzter zeit werden die fehler von Plek, sehr problematisch.(Stundenfresse)

     

    Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/5ucPKjjgqvUyciFXfT4I8l0ewjoSkZPeIiS0VeM75o8.

       Details:

       Type: urn:acme:error:connection

       Status: 400

       Detail: Fetching https://www.isdh.de/.well-known/acme-challenge/LCurvOkVC5Wy__aOev22QoOLChGFzHA6DfatVGLVDJ0: Timeout during connect (likely firewall problem)

     

    The following Let's Encrypt certificates have been renewed without some of their Subject Alternative Names:

    0
    Permalink
  • Avatar
    Ivan Postnikov

    Hello @Stefan,

    Thank you for the feedback.

    The following article is devoted to this error: https://support.plesk.com/hc/en-us/articles/115003199234-Unable-to-install-Let-s-Encrypt-certificate-Timeout-during-connect-likely-firewall-problem-OR-Error-getting-validation-data-

    Please, try the solution from the article above.

    In case this would not help, I would recommend submitting a support request to Plesk directly (if license key was bought directly from us) or to one of our partners (if license key was bought from them): https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-

    0
    Permalink
  • Avatar
    Stefan Bättig

    Hello @Alexandr and @Ivan

    Are there any new news or when will the bug be fixed?

     

    The workarround doesn't work:

    I turned off proxy mode.
    And of course I created the proxy rule, this is the real reason why the certificate can't be renewed.

    Still get the message "The authorization token is not available at...".
    We now have version: 17.8.11. #46

    Thank you

     

    0
    Permalink
  • Avatar
    Ivan Postnikov

    Hello @Stefan,

    The bug is fixed in upcoming extension version 2.8.0.

    The ETA, for now, is the beginning of the 2nd quarter.

    In case the issue will persist after the extension update, consider submitting a request for Plesk Support.

    0
    Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles