Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
Issuing a wildcard Let's Encrypt certificate in Plesk in Domains > example.com > SSL/TLS Certificates > Install fails:
Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/zEHPSbB4eUyIomzu9qynFouNGrIgiUlJZ755z_Kx4kY.
Details:
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com
Cause
The TXT DNS record for the hostname _acme-challenge.example.com is not available globally:
# nslookup -type=TXT _acme-challenge.example.com
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find _acme-challenge.example.com: NXDOMAIN
Resolution
-
Start issuing a new wildcard Let's Encrypt certificate in Domains > example.com > SSL/TLS Certificates > Install - the following notification screen will appear:
-
Proceed in accordance with where the domain's DNS zone is hosted:
DNS zone of the domain is hosted on the Plesk server-
Wait until the DNS propagation is completed and the required TXT record for the hostname _acme-challenge.example.com is available globally. The availability of this record can be checked on resources like https://dnschecker.org/.
-
Press the Reload button in the notification screen from step 2.
DNS zone of the domain is hosted on external DNS hosting-
On the external DNS hosting, add the TXT record for the hostname _acme-challenge.example.com (or just for _acme-challenge on some DNS providers) using the value from the notification screen from step 2.
-
Wait until the DNS propagation is completed and the required TXT record for the hostname _acme-challenge.example.com is available globally. The availability of this record can be checked on resources like https://dnschecker.org/.
-
Press the Reload button in the notification screen from step 2.
-
Comments
5 comments
Having to specifiy the TXT content on the external Name Server each time a renew is required is absolutely impossible, too long, so not a solution.
We definitely NEED an option in Plesk Obsidian Windows to be able to choose if :
- Option A : Plesk Let's Encrypt extension will use the method of adding a TXT record in the Plesk DNS Zone
- Option B : Plesk Let's Encrypt extension will use the method of creating a /.well-known/ file under the domain root. This option will be useful for all the people not using Plesk as their Name Server.
@Alex Laforge As I can see it was figured out in the ticket.
Yes, your technical support solved the situation. In fact, for those who come to this page, you must know that, to issue certificates, Let's Encrypt servers use two types of challenges:
More information are available at this page https://letsencrypt.org/docs/challenge-types/
I wish that this information would be more clearly displayed inside Plesk, or on the SSL-related Plesk Documentation pages.
I wish I could use the DNS-01 but my forwarded domain still want to use http-01 (without success) even if I want a wildcard.
vote for it !
Even if you choose wildcard it also tries to get the chellange via http what doesn´t work for domains which have a different A-Record.
There should be an option to choose between. In the past wildcards where provided via DNS, but it seems to be changed
Please sign in to leave a comment.