• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please beaware of a breaking change in the REST API on the next Plesk release (18.0.62).
    Starting from Plesk Obsidian 18.0.62, requests to REST API containing the Content-Type header with a media-type directive other than “application/json” will result in the HTTP “415 Unsupported Media Type” client error response code. Read more here

Resolved Let's Encrypt - 403

S

Solarom

New Pleskian
Hello,

When I try to renew the certificate for one of my domains, an error with status 403 appears :

Error: Could not issue a Let's Encrypt SSL/TLS certificate for as-sellerie.fr
Authorization for the domain failed.
Details Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/13732064593.
Details:
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: Incorrect TXT record "EiLQK-WtYAANG7V-VEB0vQqubN6yFgyvEzjzbWLIHGY" found at _acme-challenge.as-sellerie.fr
Click to expand...

This error only occurs with this domain. The _acme-challenge.as-sellerie.fr DNS record updates in Plesk, but it doesn't propagate.

When I run the command "dig TXT _acme-challenge.as-sellerie.fr + short" in SSH, it returns: "EiLQK-WtYAANG7V-VEB0vQqubN6yFgyvEzjzbWLIHGY". It doesn't match the new recording.

I followed Plesk's advice on this link :
support.plesk.com

Unable to issue or renew Let's Encrypt certificate when external DNS server is used: Incorrect TXT record

Applicable to: Plesk for Linux Symptoms It is not posible to issue or renew Let's Encrypt SSL/TLS certificate. The following error appears in Plesk or in a mail sent to the user's mailbox: Err...
support.plesk.com support.plesk.com

But I don't know how to do step 6 of solving :

6 - If it does not resolve, add the record to the external DNS server, removing other existing acme-challenge records from there.

Can you help me please ?
 
Your DNS zone is not delegated to your Plesk server:
# dig +short as-sellerie.fr NS
ns8.lwsdns.com.
ns5.lwsdns.com.
ns6.lwsdns.com.
ns7.lwsdns.com.

So anything you do in the DNS zone in Plesk will not have any effect on the "real world".

Solution 1: Delegate the zone as-sellerie.fr to your Plesk server at your registrar

Solution 2: Update the TXT record manually at your DNS provider and re-perform the validation

Solution 3: Check if your DNS provider has an API that is supported by Plesk (see the comments in the KB article you posted)

Solution 4: Do not create a wildcard Let's Encrypt certificate (which uses the DNS-challenge) but use the HTTP-challenge instead, eliminating the need for DNS updates to your zone for the certificate validation
 
Monty said:
Solution 4: Do not create a wildcard Let's Encrypt certificate (which uses the DNS-challenge) but use the HTTP-challenge instead, eliminating the need for DNS updates to your zone for the certificate validation
Click to expand...

Truly one of the best approaches to a seamless issuance/renewal process!
 
You must log in or register to reply here.

Similar threads

K
Question Renewing Let's Encrypt with external DNS servers
Replies
5
Views
513
klowet
K
H
Issue Lets Encrypt Issue - Type: urn:ietf:params:acme:error:caa
Replies
2
Views
138
HerrMatze
H
D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
750
Daiv
D
Nextgen-Networks
Issue Lets Encrypt - error in certificate renew process
2
Replies
21
Views
3K
Peter Debik
P
S
Resolved XML API Proxmox Acme Plugin Failure
Replies
1
Views
956
seek1338
S
Back
Top