Articles in this section

See more

Unable to issue Let's Encrypt certificate: Your domain in Plesk is hosted on the IP address(es): 192.0.2.2, but the DNS challenge used another IP address: 203.0.113.2.

Avatar
Francisco Garcia
Updated
Follow
Plesk for Windows kb: fixed kb: bug ext: le ABT: Group B

Applicable to:

  • Plesk for Windows

Symptoms

  • The error message below is displayed in Plesk:

    PLESK_ERROR: Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.

    Your domain in Plesk is hosted on the IP address(es): 192.0.2.2, but the DNS challenge used another IP address: 203.0.113.2.
    Please check the actual DNS zone of your domain and make sure that the IP addresses in the DNS zone and for the hosting are the same.
    Details
    Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/OEofztjJ9J4x--3NdcOtTo1BDodU_Jk_Gr5TVylpocU.
    Details:
    Type: urn:acme:error:unauthorized
    Status: 403
    Detail: Invalid response from http://example.com/.well-known/acme-challenge/BUNauAAArS-smNRVLcbD1pVk1p1xu2bWnukKoen4U23: "404 Not Found<br>The requested Url (https://www.example.com/.well-known/acme-challenge/BUNauAAArS-smNRVLcbD1pVk1p1xu2bWnukKoen4U23"

  • Accessing to the URL http://example.com/.well-known/acme-challenge/BUNauAAArS-smNRVLcbD1pVk1p1xu2bWnukKoen4U23 with any browser leads to the error:

    CONFIG_TEXT: 404 Not Found
    The requested Url (https://www.example.com/.well-known/acme-challenge/BUNauAAArS-smNRVLcbD1pVk1p1xu2bWnukKoen4U23) does not return any valid content.

  • The website runs on IIS with ASP.NET Core

Cause

Product issue:

  • #EXTLETSENC-653 "Improved the error message shown when there is an attempt to issue a Let’s Encrypt certificate for a website that cannot pass HTTP challenge."
    Fixed in:

Resolution

Please consider updating your server:

Workaround

In order to issue a Let's Encrypt certificate, follow the steps below:

Click on a section to expand

From RDP:

  1. Connect to the server via RDP

  2. Create a file web.config in C:\Inetpub\vhosts\example.com\httpdocs\.well-known\acme-challenge with the content below:

    CONFIG_TEXT: <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
    <system.webServer>
    <httpRedirect enabled="false" />
    <validation validateIntegratedModeConfiguration="false" />
    <staticContent>
    <clear />
    <mimeMap fileExtension="." mimeType="text/json" />
    </staticContent>
    <handlers>
    <clear />
    <add name="StaticFile" path="*" verb="GET" modules="StaticFileModule" resourceType="Either" />
    </handlers>
    </system.webServer>
    </configuration>

    This makes the files being processed as static and without redirection.

From Plesk interface:

  1. Log in to Plesk

  2. Go to Domains > example.com > File Manager

  3. Navigate to .well-known > acme-challenge

  4. Edit (or create if not exists): web.config and add the content below:

    CONFIG_TEXT: <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
    <system.webServer>
    <httpRedirect enabled="false" />
    <validation validateIntegratedModeConfiguration="false" />
    <staticContent>
    <clear />
    <mimeMap fileExtension="." mimeType="text/json" />
    </staticContent>
    <handlers>
    <clear />
    <add name="StaticFile" path="*" verb="GET" modules="StaticFileModule" resourceType="Either" />
    </handlers>
    </system.webServer>
    </configuration>

Additional information

Configuring LetsEncrypt for ASP.NET Core and IIS.

Comments

3 comments

Sort by Date Votes
  • Avatar
    Fouad Ahmed Fouad

    I have the web sites hosted on another server, and webmail.example.com can't be secured because Plesk can't issue the SSL as the web site is not hosted on the same server, why Plesk doesn't automatically try DNS challenge instead of using the web site to identify the domain in question, so we can still secure the webmail and SMTP services, can you help?

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Fouad Ahmed Fouad

    Thank you for sharing your user experience.

    This approach was the one used by Let's Encrypt. DNS challenge was added only with introduction of Wildcard certificated by Let's Encrypt not long ago.

    Consider creating a feature suggestion at Plesk user-voice.

     

    0
    Comment actions Permalink
  • Avatar
    Tolani deinde

    hello i am getting the following email:

    The following domains have been secured without some of their Subject Alternative Names:

    <none>

    Could not renew Let`s Encrypt certificates for t (login tdlinksc). Please log in to Plesk and renew the certificates listed below manually.
    Renewal of the following Let`s Encrypt certificates has failed:

    * 'Lets Encrypt tdlinks.co.uk' [days to expire: 16]
    [-] *.tdlinks.co.uk
    [-] tdlinks.co.uk

    Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/10544354248.
    Details:
    Type: urn:ietf:params:acme:error:unauthorized
    Status: 403
    Detail: Invalid response from http://tdlinks.co.uk/.well-known/acme-challenge/wgV9kmKBb00GWN09xnTV6KOc5G2xE5e-i3rLGf9Zi40 [23.227.38.65]: 404

    The following Let`s Encrypt certificates have been renewed without some of their Subject Alternative Names:

    What should i do?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles