- Plesk for Linux
- The following notifications keep coming to the Plesk administrator's email even though the certificate for example.com has already been renewed:
CONFIG_TEXT: Could not secure domains of Administrator (login admin) with Let's Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:
The following domains have been secured without some of their Subject Alternative Names:
Could not renew Let's Encrypt certificates for Administrator (login admin). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let's Encrypt certificates has failed:
'Lets Encrypt certificate' [days to expire: 12] [-] example.com
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/5422301042.
Detail: Invalid response from https://example.com/.well-known/acme-challenge/QnlaiM9v7msdH9BnqWzyzWx234wJTQjX-7fRot-TqEw [203.0.113.2]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"
The following Let's Encrypt certificates have been renewed without some of their Subject Alternative Names:
[+] This domain is secure. The domain's SSL/TLS certificate from Let's Encrypt has been issued/renewed.
[-] This domain is not secure. Either the domain's SSL/TLS certificate from Let's Encrypt could not be issued/renewed or the domain name was excluded from the certificate. Renew the certificate manually or request a new one to secure this domain.
acme-challengetoken mentioned in the message does not exist in the common challenge directory:
# ls -la /var/www/vhosts/default/htdocs/.well-known/acme-challenge/ | grep QnlaiM9v7msdH9BnqWzyzWx234wJTQjX-7fRot-TqEw
With debug mode enabled, it is possible to see that the certificate renewal was skipped in
CONFIG_TEXT: DEBUG [extension/sslit] Skip certificate renewal for domain 'example.com': the certificate will expire in more than 30 days at YYYY-MM-DD
- There was a previous issue with certificate renewal that has been recently resolved;
The certificate has been recently renewed, but notifications for previous failed renewal attempts can come with a delay. This is an SSL It! extension bug #EXTSSLIT-1922.
Notifications for failed renewals can be delayed for 24 hours. No action is required.
If notifications keep coming after a while, check the email headers to make sure that they are not coming from an old server.