On October 19, 2021, we have enabled single-sign-on for our Plesk Support Center to provide a seamless login/account experience. This implies that you’ll be able to use a single account across any of our web-facing properties.
If you had already registered your account at Plesk 360 (formerly known as My Plesk) please use one for login. Otherwise please re-register it using the same email address as your existing Zendesk login (support account). It’s essential that you use the same email address on our support center to ensure that your tickets stay attached to the same account.

Articles in this section

See more

Unable to issue or renew Let's Encrypt certificate when external DNS server is used: Incorrect TXT record

Avatar
Julian Bonpland Mignaquy
Updated
Follow
Plesk for Linux kb: technical ext: le ABT: Group B

Applicable to:

  • Plesk for Linux

Symptoms

  • It is not posible to issue or renew Let's Encrypt SSL/TLS certificate. The following error appears in Plesk or in a mail sent to the user's mailbox:

    Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.
    Authorization for the domain failed.
    Details Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/9_fD4pJYnd6o4DNUxbG0WNtYOOm-G6TeHcz8TN1K9f4. Details: Type: urn:ietf:params:acme:error:unauthorized
    Status: 403
    Detail: Incorrect TXT record "Rq5AN5tnNTHnUNfh2byBWzDZNePjIOcSJDMJYK0ku6A" found at _acme-challenge.example.com

  • Plesk is not the master of the zone, external servers are used:

    # dig NS example.com +short
    ns1.server.com
    ns2.server.com

  • DNS extension like "Amazon Route 53" is used.

Cause

Local DNS service is stopped in Tools & Settings > Services Management.
If this service is stopped then the TXT record for _acme-challenge will not be generated automatically.

Resolution

  1. Log into Plesk

  2. Start the DNS service in Tools & Settings > Services Management.

  3. Go to Domains > example.com > Let's Encrypt or Domains > example.com > SSL/TLS Certificates

  4. Click on Reissue certificate.

  5. Once the following image is shown, double check if the TXT record resolves externally. This can be checked via ssh with the command dig TXT _acme-challenge.example.com +short:
    Click Install

  6. If it does not resolve, add the record to the external DNS server, removing other existing acme-challenge records from there.

  7. Get back to Plesk screen and click Reload button

Comments

8 comments

Sort by Date Votes
  • Avatar
    Michael Bellini

    I feel like this is a poor resolution, since it means I need to manually renew all certificates.  Instead the resolution should be to enhance the extension so that it can interact properly with remote dns.  For example, google cloud offers APIs for this exact reason

    2
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Michael Bellini

    Thank you for the feedback.

    Your Idea, in fact, may be helpful for some of the external mail servers.

    We already have extensions to automatically adjust DNS records on DigitalOcean, AWS side and we have plans for similar extension for Google Cloud.

    However, due to many realizations of DNS server functionality, some may still be unsupported and require the solution from above.

    -1
    Comment actions Permalink
  • Avatar
    Ben

    Is there a reason why a wildcard install requires you to manually add the DNS rather than adding it automatically? We are using Simple DNS locally.

    0
    Comment actions Permalink
  • Avatar
    Yulia Plokhotnikova

    Hi @Ben,

    Actually Plesk adds the required TXT record automatically in domain's DNS Settings which is done to simply the process for domains that host their DNS on a Plesk server. So if you were using Plesk's DNS, no additional actions would be required. For third-party name server providers, however, it is still needed adding a TXT record manually as Plesk cannot automatically login to your third-party name server account and add a record for you for obvious reasons.

    The requirement for having a TXT record for wildcard SSLs is a security measure by Let's Encrypt: this way Let's Encrypt ensures that you are the owner of the DNS of the domain. Read more about this challenge type here: https://letsencrypt.org/docs/challenge-types/   

    -2
    Comment actions Permalink
  • Avatar
    Michael Bellini

    @Yulia Plokhotnikova Plesk can automatically add the record for remote DNS, since many remote DNS servers offer APIs.    I run many other servers that do not use plesk, and they all use Google Cloud DNS, and I can have my LE cert renewed automatically because there are extensions that communicate with Google Cloud DNS using their APIs

    This was the purpose of my first comment.  The Plesk "solution" to manually add it is not a solution

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov

    Michael Bellini Automatic update can be done in theory, but at this moment Plesk has no yet integration with Google Cloud DNS. We will consider adding such functionality in the future.

    0
    Comment actions Permalink
  • Avatar
    Jeffrey Kastner

    Is there a way we can create a Task(or Event) to add or update a TXT record, or create a DNS extension for NameSilo (using their API)? 

    I've create the PHP script, but I'm not sure how I can implement the script to be triggered when Lets Encrypt needs to renew the TXT Record. 

    *I currently have all my domains, except one, at NameSilo.. and the one alt. is a clients that they manage elseshere(which I'm also needing to update the SSL for).

    **I would be happy to collaborate with Plesk to get this working, and even to manage/purchase domains via NameSilo.

    0
    Comment actions Permalink
  • Avatar
    Sergio Govoni

    Creating a script to add a DNS record is quite simple, as we can add and test this this script on Plesk, it shouldn't be that difficult.
    What don't you understand?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles