- Plesk Onyx for Linux
- Plesk Onyx for Windows
Note: This article has the reference to the issue with the fix available:
- #EXTLETSENC-571 "The “Keep websites secured” option no longer unnecessary reissues certificates trying to secure SANs
(subdomains, domain aliases, or webmail) that do not exist or cannot pass HTTP challenge. “Keep websites secured” now
checks if there are available SANs that can be secured and only then issues a certificate to secure them."
- Let’s Encrypt 2.8.0 28 May 2019
- The following error message appears in Plesk interface:
PLESK_ERROR: ERR [extension/letsencrypt] Domain validation failed for www.example.com: Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/***. Details: Type: urn:acme:error:dns Status: 400 Detail: DNS problem: NXDOMAIN looking up A for www.example.com
Administrator receives email with the following content:
CONFIG_TEXT: Could not secure domains of example.com (login example.com) with Let's Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:
The following domains have been secured without some of their Subject Alternative Names:
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/Rkk0NW8e6gzIjOdQ7i83fVi03dSI_b0-41zYx2CnlWw.
Detail: DNS problem: NXDOMAIN looking up A for www.example.com
There is no DNS www record in Domains > example.com > DNS settings;
- Domain name containing www prefix is not resolved:
# dig +short www.example.com
- Domain without www prefix is successfully secured:
# curl --verbose -k https://example.com/ 2>&1 |grep -E "Connected to|subject|start|expire|common name|issuer"
Connected to example.com (203.0.113.2) port 443 (#0)
start date: Dec 10 10:18:06 2018 GMT
expire date: Mar 10 10:18:06 2019 GMT
common name: example.com
issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
- Option Keep website secured with free SSL certificate is enabled in Service Plans > Service Plan Name > Additional Services or in Subscriptions > example.com > Customize > Additional Services
Keep-secured task, which is used by Let's Encrypt extension to renew certificates, tries to reissue certificate for a domain without www prefix.
This behavior is caused by Let's Encrypt extension bug with ID #EXTLETSENC-571, which is planned to be fixed in future product updates.
Apply one of the following workarounds:
- Login into Plesk;
Create a CNAME www record for the domain at Domains > example.com > DNS Settings:
Disable the Keep websites secured with free SSL Certificate feature for a subscription or its Service plan:
Set Let's Encrypt to None at Subscriptions > example.com > Customize > Additional Services or in Service Plans > Service Plan Name > Additional Services.