On October 19, 2021, we have enabled single-sign-on for our Plesk Support Center to provide a seamless login/account experience. This implies that you’ll be able to use a single account across any of our web-facing properties.
If you had already registered your account at Plesk 360 (formerly known as My Plesk) please use one for login. Otherwise please re-register it using the same email address as your existing Zendesk login (support account). It’s essential that you use the same email address on our support center to ensure that your tickets stay attached to the same account.

Articles in this section

See more

Unable to issue or renew a Let's Encrypt SSL certificate for webmail in Plesk: 403 unauthorized

Avatar
Renan Genova Ferreira
Updated
Follow
Plesk for Linux kb: bug ext: le ABT: Group A

Applicable to:

  • Plesk for Linux

Symptoms

  • Unable to issue or renew a Let's Encrypt SSL certificate for webmail.example.com at Plesk > example.com > Let's encrypt > selecting the Secure webmail on this domain checkbox. The following warning is shown

    PLESK_WARN: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/mrkuES5ApWYKJEBElh47Ynxp03JmsjoKyADWUO0jbqA.
    Details:
    Type: urn:ietf:params:acme:error:unauthorized
    Status: 403
    Detail: Invalid response from https://webmail.example.com/.well-known/acme-challenge/CYt1tP_7l1JsJVWy9iRBN7bCl8PyJyx8lVlSQis9F6c [203.0.113.2]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor="white">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

  • Repeating the above steps issues or renews the SSL certificate successfully.

Cause

Let's Encrypt extension bug EXTLETSENC-694 which will be fixed on future product updates.

Resolution

As a workaround, perform the process twice to successfully issue or renew the SSL certificate for the webmail:

  1. Log into Plesk;
  2. Go to Domains > example.com > Let's Encrypt
  3. Select the Secure webmail on this domain checkbox and click on Renew or OK.

Comments

8 comments

Sort by Date Votes
  • Avatar
    Urban Abode

    Is there any fix on Obsidian 18.0.23 for this?

     

    0
    Comment actions Permalink
  • Avatar
    Bulat Tsydenov

    @Urban Abode

    Hi,
    this bug has not been fixed yet. Does the workaround mentioned in the article work for you?

    0
    Comment actions Permalink
  • Avatar
    Urban Abode

    Thanks for the reply. I ended up getting it done but it was not as straight forward as it use to be. The SSL/TLs Certificates show as not secured in the extension and there is no Lets encrypt extension showing but the site its self is showing lock and by all accounts looks like its working.

    Thanks Bulat Tsydenov

     

    0
    Comment actions Permalink
  • Avatar
    Pedro Telmo

    did not work the workaround solution.

    0
    Comment actions Permalink
  • Avatar
    Anzhelika Khapaknysh

    @Pedro Telmo,

    There is a chance, that the cause of the issue you've met isn't a bug.
    Please check similar articles in the knowledge base.

    If nothing works, consider contacting our Tech Support Team.

    0
    Comment actions Permalink
  • Avatar
    Marc

    Hi,

    Just performing an update in Lets Encrypt is not enough at our Enviroment. We use external DNS-Delegation. 
    We would have to renew the TXT entry in the external DNS too,  because the previous entry would be invalid.
    We manage more than 150 domains, it would be a lot of work to renew the _acme-challenge entries for all wildcards.
    Until the fix we deactivated the wildcard entry.
    0
    Comment actions Permalink
  • Avatar
    Ekaterina Babenko

    Hello,
    It is true that when using external DNS to install/update properly wildcard certificate it is required to update TXT record manually.
    If you want this operation to be done automatically use Plesk DNS instead.

    0
    Comment actions Permalink
  • Avatar
    Crypt0maniak

    For the people still experiencing issues with this.
    I had the same issue.

    Here was my solution:

    This most probably happens (not always) when you're using a reverse dns proxy like Cloudflare.
    If you use Cloudflare, follow these steps:

    Go to the "Overview"-tab in your Cloudflare dashboard.
    Under "Advanced Actions" on the bottom of the sidebar click on "Pause Cloudflare on Site", Press "Confirm".
    Then under "Quick Actions" on the bottom of the sidebar switch the "Development Mode" option to "On".
    Wait for about a few minutes.
    Then try to obtain your new certificate using Plesk.
    If successful, turn those options back on.

    What this does, is: It passes on all requests directly to your webserver and uses Cloudflare only for DNS.
    If you want to make sure it doesn't use Cloudflare's cache you can also click on "Purge Cache" under "Quick Actions" and then click "Purge everything" (Warning!: this will most probably increase your server load after you enable Cloudflare again )

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles