Applicable to:
- Plesk
Symptoms
-
Could not issue or renew Let's Encrypt SSL/TLS certificate
CONFIG_TEXT: Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.
Authorization for the domain failed.
Details Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/9_fD4pJYnd6o4DNUxbG0WNtYOOm-G6TeHcz8TN1K9f4. Details: Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: Incorrect TXT record "Rq5AN5tnNTHnUNfh2byBWzDZNePjIOcSJDMJYK0ku6A" found at _acme-challenge.example.com -
Plesk is not the master of the zone, external servers are used:
# dig NS example.com +short
ns1.server.com
ns2.server.com - Local DNS is stopped and/or DNS extension like "Amazon Route 53" is used
Cause
Let's Encrypt servers search for a TXT record which is missing on external DNS servers.
The TXT record returned globally is different from the one returned by the Plesk server:
# dig TXT _acme-challenge.example.com +short
"Rq5AN5tnNTHnUNfh2byBWzDZNePjIOcSJDMJYK0ku6A"
# dig TXT _acme-challenge.example.com @plesk.example.com +short
"YyYM6WJOwGuX4K0TUVOipnYQvmN5tuOEyjgfsWtWWW"
Where plesk.example.com
is the hostname of the Plesk server.
Resolution
-
Go to Domains > example.com > Let's Encrypt.
Note: If Let's Encrypt is absent, click on SSL/TLS Certificate and in the section Entry-level protection, click on Get it free.
-
Check the box Issue a wildcard SSL/TLS certificate (or Secure the wildcard domain) and click on Install / Renew.
-
Add the TXT record showed below on your external DNS servers, and once done, click on Continue.
Note: If the page above is not shown, disable the DNS for this domains following the documentation Disabling the Plesk DNS Service and retry.
Comments
6 comments
I feel like this is a poor resolution, since it means I need to manually renew all certificates. Instead the resolution should be to enhance the extension so that it can interact properly with remote dns. For example, google cloud offers APIs for this exact reason
Hello Michael Bellini
Thank you for the feedback.
Your Idea, in fact, may be helpful for some of the external mail servers.
We already have extensions to automatically adjust DNS records on DigitalOcean, AWS side and we have plans for similar extension for Google Cloud.
However, due to many realizations of DNS server functionality, some may still be unsupported and require the solution from above.
Is there a reason why a wildcard install requires you to manually add the DNS rather than adding it automatically? We are using Simple DNS locally.
Hi @Ben,
Actually Plesk adds the required TXT record automatically in domain's DNS Settings which is done to simply the process for domains that host their DNS on a Plesk server. So if you were using Plesk's DNS, no additional actions would be required. For third-party name server providers, however, it is still needed adding a TXT record manually as Plesk cannot automatically login to your third-party name server account and add a record for you for obvious reasons.
The requirement for having a TXT record for wildcard SSLs is a security measure by Let's Encrypt: this way Let's Encrypt ensures that you are the owner of the DNS of the domain. Read more about this challenge type here: https://letsencrypt.org/docs/challenge-types/
@Yulia Plokhotnikova Plesk can automatically add the record for remote DNS, since many remote DNS servers offer APIs. I run many other servers that do not use plesk, and they all use Google Cloud DNS, and I can have my LE cert renewed automatically because there are extensions that communicate with Google Cloud DNS using their APIs
This was the purpose of my first comment. The Plesk "solution" to manually add it is not a solution
Michael Bellini Automatic update can be done in theory, but at this moment Plesk has no yet integration with Google Cloud DNS. We will consider adding such functionality in the future.
Please sign in to leave a comment.