Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
Unable to issue a Let's Encrypt certificate for a domain in Plesk, the process fails with the following error message:
Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com
The example.com DNS zone contains an AAAA record, but the domain is not assigned an IPv6 address in Plesk.
To resolve the issue, either assign an IPv6 address to example.com ("Websites & Domains" > "Web Hosting Access") or remove the AAAA record from the example.com DNS zone.
See the related Knowledge Base article for details.
Details
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/qxK-vAPtGYg3YOSEcgZNB7HBd-unn4oX3GLtZWSxVPA.
Details:
Type: urn:acme:error:unauthorized
Status: 403
Cause
Domain resolves to an IPv6 address but the domain is not assigned or does not have an IPv6 in Plesk:
# dig @8.8.8.8 +short -t AAAA example.com
2001:db8:f61:a1ff:0:0:0:80
Resolution
Click on a section to expand
- Log in to Plesk
- Go to Domains > example.com > DNS Settings and remove AAAA record
- Log in to Plesk
- Go to Domains > example.com > Web Hosting Access and assign an IPv6 to the domain.
Note: IPv6 address should exist on network interface and in Tools & Settings > IP Addresses
Comments
8 comments
If you're securing your domains with Cloudflare the problem can also caused by the configuration of SSL at Cloudflare.
Turn on "Full" unstead "Full (Strict)" mode, secure your domain and re-enable "Full (Strict)" after the issuing worked well.
always getting this, the cloudflare fix above, fixed it. Thanks.
Thansk Tino Korth | DrehPunkt GmbH solve my problem. It was exactly this configuration that was missing.
Thanks Tino Korth | DrehPunkt GmbH. I spent several hours doing this, I even removed the bind service from the server, thanks a lot for this.
For me, the problem was very different. I had the same error as above and I'm also using Clouflare. But the problem was that I was "challenging" all foreign traffic with a JS challenge by using firewall rules. Making an exception for URIs that contain ".well-known/acme-challenge" is the solution in this case. It has nothing to do with DNS, IPv6 or AAAA records.
I've got the same problem, but IPv6 IS assigned in webhosting access and to server (and it's also pingable). I'm lost how to fix this. I don't want to remove the AAAA Record, because it's correct.
Above fix for Cloudflare didn't work for me. My SSL setting is already "Full" and not "Full (Strict)". I had to pause Cloudflare on site for a second or two, until the Let's Encrypt verification ends.
A note on what @Omer Sabic suggests: His solution is pretty better than mine but it is worth to note that it my help malicious requests to bypass Cloudflare JS challenge. You better create the rule with "URI equals" rather than "URI contains". Use this path to set this rule: "/.well-known/acme-challenge/"
I'm getting this failure message but when I go in to records I don't have any listed as AAAA - what should I do next?
(Just to add, I have tried assigning an IPv6 to the domain but there is no option to do this under Web hosting access)
(yes I'm very new to this, thanks for your help!)
Please sign in to leave a comment.