English (US) 日本語
Submit a request

Technical question Licensing question
Sign in

Unable to activate or update the Comodo rule-set in Plesk ModSecurity: Error interacting with https://waf.comodo.com/doc/meta_comodo_apache.yaml: <urlopen error [Errno 113] No route to host>
[FIXED BUG] mod_rewrite stopped working. All pages on WordPress sites show 404
ModSecurity ruleset update error in Plesk installed on Debian-based OS (Debian, Ubuntu): "modsecurity_ctl failed: modsecurity_ctl: unrecognized option '--apache'"
WordPress functionality is broken in Plesk after changing domain PHP version to 8.0: Uncaught TypeError: implode(): Argument #2 ($array) must be of type ?array,
Can't login to Wordpress from Plesk dashboard
Websites hosted on a Plesk server with Imunify360 are intermittently unavailable: Error establishing a database connection
How to install Magento for a domain in Plesk
The Plesk Email Security dashboard keeps loading, or statistics are not updated
Mail stuck in queue when Plesk Email Security installed on SELinux enforced server
Cannot change Node.js application root in Plesk: Class 'CommonPanel_Validate_FileSharing_FolderName' not found

See more

Cannot issue wildcard Let's Encrypt certificate in Plesk: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com

Taras Ermoshin

Updated January 14, 2021 11:54

Plesk for Windows Plesk for Linux kb: technical ext: le ABT: Group A

Applicable to:

Plesk for Linux
Plesk for Windows

Symptoms

Issuing a wildcard Let's Encrypt certificate in Plesk in Domains > example.com > Let's Encrypt (or in Domains > example.com > SSL/TLS Certificates if the extension SSL It! is installed) fails with the error:

PLESK_ERROR: Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/zEHPSbB4eUyIomzu9qynFouNGrIgiUlJZ755z_Kx4kY.
Details:
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com
The TXT DNS record for the hostname _acme-challenge.example.com is not available globally:

# nslookup -type=TXT _acme-challenge.example.com
Server: 8.8.8.8
Address: 8.8.8.8#53

** server can't find _acme-challenge.example.com: NXDOMAIN
The same DNS record is present in Plesk in Domains > example.com > DNS Settings and is returned by Plesk's DNS server:

# nslookup -type=TXT _acme-challenge.example.com example.com
Server: example.com
Address: 203.0.113.2#53

_acme-challenge.example.com text = "yFHaUBDo0THtVyjdmtwmJkgEAmPDemtITjpftHrN9Wg"

Cause

The TXT DNS record for the hostname _acme-challenge.example.com is not available globally.

Resolution

DNS zone of the domain is hosted on the Plesk server

Wait until the DNS propagation is completed and the required record is available globally. The propagation can take up to 72 hours. Check of the record's availability can be done on resources like https://dnschecker.org/.
Issue Let's Encrypt certificate again in Plesk in Domains > example.com > Let's Encrypt (or in Domains > example.com > SSL/TLS Certificates).

DNS zone of the domain is hosted on external DNS hosting

On the external DNS hosting, add the TXT record for the hostname _acme-challenge.example.com. The value for the record can be obtained in Plesk in Domains > example.com > DNS Settings.
Issue Let's Encrypt certificate again in Plesk in Domains > example.com > Let's Encrypt (or in Domains > example.com > SSL/TLS Certificates).

Comments

3 comments

Alex Laforge November 17, 2019 07:01

Having to specifiy the TXT content on the external Name Server each time a renew is required is absolutely impossible, too long, so not a solution.

We definitely NEED an option in Plesk Obsidian Windows to be able to choose if :

- Option A : Plesk Let's Encrypt extension will use the method of adding a TXT record in the Plesk DNS Zone

- Option B : Plesk Let's Encrypt extension will use the method of creating a /.well-known/ file under the domain root. This option will be useful for all the people not using Plesk as their Name Server.

2

Comment actions Permalink
Lev Iurev November 25, 2019 02:06

@Alex Laforge As I can see it was figured out in the ticket.

0

Comment actions Permalink
Alex Laforge November 25, 2019 19:53
Yes, your technical support solved the situation. In fact, for those who come to this page, you must know that, to issue certificates, Let's Encrypt servers use two types of challenges:
- HTTP-01 for issuing regular certificates - the token is checked at the URL http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>.
- DNS-01 for issuing wildcard certificates - the token is checked in the DNS TXT record _acme-challenge.<YOUR_DOMAIN>.
More information are available at this page https://letsencrypt.org/docs/challenge-types/

I wish that this information would be more clearly displayed inside Plesk, or on the SSL-related Plesk Documentation pages.
1

Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request