Applicable to:
- Plesk for Linux
Symptoms
-
It is not posible to issue or renew Let's Encrypt SSL/TLS certificate. The following error appears in Plesk or in a mail sent to the user's mailbox:
Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.
Authorization for the domain failed.
Details Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/9_fD4pJYnd6o4DNUxbG0WNtYOOm-G6TeHcz8TN1K9f4. Details: Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: Incorrect TXT record "Rq5AN5tnNTHnUNfh2byBWzDZNePjIOcSJDMJYK0ku6A" found at _acme-challenge.example.com -
Plesk is not the master of the zone, external servers are used:
# dig NS example.com +short
ns1.server.com
ns2.server.com -
DNS extension like "Amazon Route 53" is used.
Cause
Local DNS service is stopped in Tools & Settings > Services Management.
If this service is stopped then the TXT record for _acme-challenge will not be generated automatically.
Resolution
-
Start the DNS service in Tools & Settings > Services Management.
-
Go to Domains > example.com > SSL/TLS Certificates
-
Click on Reissue certificate.
-
Once the following image is shown, double check if the TXT record resolves externally. This can be checked via ssh with the command
dig TXT _acme-challenge.example.com +short:
- If it does not resolve, add the record to the external DNS server, removing other existing acme-challenge records from there.
-
Get back to Plesk screen and click Reload button
Comments
10 comments
I feel like this is a poor resolution, since it means I need to manually renew all certificates. Instead the resolution should be to enhance the extension so that it can interact properly with remote dns. For example, google cloud offers APIs for this exact reason
Hello Michael Bellini
Thank you for the feedback.
Your Idea, in fact, may be helpful for some of the external mail servers.
We already have extensions to automatically adjust DNS records on DigitalOcean, AWS side and we have plans for similar extension for Google Cloud.
However, due to many realizations of DNS server functionality, some may still be unsupported and require the solution from above.
Is there a reason why a wildcard install requires you to manually add the DNS rather than adding it automatically? We are using Simple DNS locally.
Hi @Ben,
Actually Plesk adds the required TXT record automatically in domain's DNS Settings which is done to simply the process for domains that host their DNS on a Plesk server. So if you were using Plesk's DNS, no additional actions would be required. For third-party name server providers, however, it is still needed adding a TXT record manually as Plesk cannot automatically login to your third-party name server account and add a record for you for obvious reasons.
The requirement for having a TXT record for wildcard SSLs is a security measure by Let's Encrypt: this way Let's Encrypt ensures that you are the owner of the DNS of the domain. Read more about this challenge type here: https://letsencrypt.org/docs/challenge-types/
@Yulia Plokhotnikova Plesk can automatically add the record for remote DNS, since many remote DNS servers offer APIs. I run many other servers that do not use plesk, and they all use Google Cloud DNS, and I can have my LE cert renewed automatically because there are extensions that communicate with Google Cloud DNS using their APIs
This was the purpose of my first comment. The Plesk "solution" to manually add it is not a solution
Michael Bellini Automatic update can be done in theory, but at this moment Plesk has no yet integration with Google Cloud DNS. We will consider adding such functionality in the future.
Is there a way we can create a Task(or Event) to add or update a TXT record, or create a DNS extension for NameSilo (using their API)?
I've create the PHP script, but I'm not sure how I can implement the script to be triggered when Lets Encrypt needs to renew the TXT Record.
*I currently have all my domains, except one, at NameSilo.. and the one alt. is a clients that they manage elseshere(which I'm also needing to update the SSL for).
**I would be happy to collaborate with Plesk to get this working, and even to manage/purchase domains via NameSilo.
Creating a script to add a DNS record is quite simple, as we can add and test this this script on Plesk, it shouldn't be that difficult.
What don't you understand?
Hi,
I have the same problem (incorrect TXT _acme-challenge.mydomain.com record) and I am using Plesk DNS locally.
In DNS settings (Websites & Domains > mydomain.com > DNS Settings), "_acme-challenge.mydomain.com" record exists, but I have the message "Warning: The DNS zone was modified. If you would like to apply changes in the DNS template to this zone, either click the 'Apply DNS Template Changes' button on this page or ...//...". After applying the DNS template changes, I can renew the certificate manually.
Shouldn't Plesk do this automatically?
Is there an option somewhere to change?
Plesk Support - Why not simply use the Let's Encrypt HTTP-01 challenge type instead or give owners the ability to change the challenge type through settings.
https://letsencrypt.org/docs/challenge-types/
Or does the wildcard require TXT record adjustments.
Please sign in to leave a comment.