Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates

[Leta]

Server operating system version

Windows NT 10.0 build 14393 (Windows Server 2016) AMD64

Plesk version and microupdate number

Plesk Obsidian Version 18.0.61 #5

Hi,

When I visit ourwebsite.com and www.ourwebsite.com they both have the SSL certificate

But, when I visit our IP address whose page title is "Domain Default Page" with a general page with plesk main links, this page is not secure

I thought I had to create an

index.html

within

httpdocs

folder but nothing changes

We have 2 other websites whose Let's encrypt certificates were renewed recently without any issue

I spoke with our web hosting and they said they do not see any issue

I need your help, I don't know what is the cause of this issue

The Let's encrypt certificate seems installed correctly via Plesk control panel

I keep getting this error via email from Plesk:

"Could not secure domains of xxxxxx (login xxxxxx) with Let`s Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:

<none>

The following domains have been secured without some of their Subject Alternative Names:

<none>

Could not renew Let`s Encrypt certificates for xxxxxx (login xxxxxx). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let`s Encrypt certificates has failed:

** 'Lets Encrypt ourwebsite.com' [days to expire: 44] **
[-] ourwebsite.com
[-] www.ourwebsite.com

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxx.
Details:
Type: urn:ietfarams:acme:error:unauthorized
Status: 403
Detail: (here there is our IP address) : Invalid response from http://ourwebsite.com/.well-known/acme-challenge/xxxxxxxx: 403

The following Let`s Encrypt certificates have been renewed without some of their Subject Alternative Names:

<none>

Legend:
[+] This domain is secure. The domain's SSL/TLS certificate from Let`s Encrypt has been issued/renewed.
[-] This domain is not secure. Either the domain's SSL/TLS certificate from Let`s Encrypt could not be issued/renewed or the domain name was excluded from the certificate. Renew the certificate manually or request a new one to secure this domain."

Then I tried to re-issue the Let's Encrypt ceritifcate for this website
(while a Let's encrypt certificate was already installed or so it appears) , it gave this error message:

"Impossible to generate a Let's Encrypt SSL/TLS certificate for ourwebsite.com

authorization token is not available in http://ourqwebsite.com/.well-known/acme-challenge/xxxxxxxxxxxx

To solve this issue, make sure that the token file is downloadable through the previous URL.
For more detailed info, see this article.
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxxxxx

This is what https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxxxxx has within:

{
"identifier": {
"type": "dns",
"value": "ourwebsite.com"
},
"status": "invalid",
"expires": "2024-10-26T08:30:50Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxx/xxx",
"status": "invalid",
"validated": "2024-10-19T08:30:53Z",
"error": {
"type": "urn:ietfarams:acme:error:unauthorized",
"detail": "our IP address: Invalid response from http://ourwebsite.com/.well-known/acme-challenge/xxxx: 403",
"status": 403
},
"token": "xxxxxxxxxxxxxxxxx",
"validationRecord": [
{
"url": "http://ourwebsite.com/.well-known/acme-challenge/xxxxxxxxxxxxxxx",
"hostname": "ourwebsite.com",
"port": "our port",
"addressesResolved": [
"our IP address"
],
"addressUsed": "our IP address"
} ] } ]}

Let me know soon, thanks
Best regards,

Leta

 

[Sebahat.hadzhi]

Hello, @Leta. That notification could result due to quite a few reasons, including DNS issues, incorrect domain paths, forced HTTPS redirection. Please double-check the following articles and hopefully they will help:

• https://support.plesk.com/hc/en-us/...cate-The-authorization-token-is-not-available
• https://support.plesk.com/hc/en-us/...setting-is-enabled-HTTP-Error-403-4-Forbidden

If the issue still persists, it will be best to directly get in touch with our support team so they can connect to your server and perform a further investigation.

 

[AYamshanov]

But, when I visit our IP address whose page title is "Domain Default Page" with a general page with plesk main links, this page is not secure

Why do you expect visitor to visit your server by IP address? In the real world, I believe it is quire rare case. Let's Encrypt can't help with a certificate for an IP-address (as one of the examples of similar questions on their forum)

 

[Leta]

@Sebahat.hadzhi @AYamshanov

Since my last post, I did the following:

1. I cancelled the SSL certificate (that looked like it was issued as seen on my plesk control panel)
2. I unchecked the Require SSL/TLS option found in Domains > example.com > Hosting & DNS > IIS Settings
3. I issued a new free SSL by Let's Encrypt again (with a different email address from the one attached to the previous SSL)

The last email, that I received directly from Plesk regarding the renewal of the free SSL cerificate by Let's Encrypt for this website, was received yesterday early morning and it was still saying "Could not issue/renew Let`s Encrypt certificates for this website"

Since then, no further email has been received from Plesk regarding this matter

Why have I not received an email from plesk confirming or not the renewal of the SSL?

Also, can I customize our IP addresses "domain default pages" to hide the fact they use Plesk as control panel?
for security reasons, should the IP addresses stay like this or a have a "hello world" type of page with no further info on the tech tools that the website uses?

Let me know soon, thanks
Best regards,
Leta

 

[AYamshanov]

Why have I not received an email from plesk confirming or not the renewal of the SSL?

I would recommend to start with analyzing Plesk and/or mail logs.

Also, can I customize our IP addresses "domain default pages" to hide the fact they use Plesk as control panel?

• How-to-change-the-default-content-for-newly-created-domains-in-Plesk
• How-to-change-the-Web-Server-s-Default-Page-for-domains-with-no-hosting-and-in-disabled-status-in-Plesk

Since you are interested on how to secure a server with Plesk, let me add one more link to the answer - How-to-secure-a-Plesk-server

 

[Leta]

I would recommend to start with analyzing Plesk and/or mail logs.

• How-to-change-the-default-content-for-newly-created-domains-in-Plesk
• How-to-change-the-Web-Server-s-Default-Page-for-domains-with-no-hosting-and-in-disabled-status-in-Plesk

Since you are interested on how to secure a server with Plesk, let me add one more link to the answer - How-to-secure-a-Plesk-server

@AYamshanov where do I analyze plesk and or mail logs?

• Screenshot 1 (the main directory) :
• Screenshot 2 (the httpdocs folder)

Let me know soon, thanks
Best regards,
Leta

 

[AYamshanov]

@AYamshanov where do I analyze plesk and or mail logs?

If you an admin on the server, I would recommend to check...

• Panel log: /var/log/plesk/panel.log
• Mail log: /var/log/maillog

(c) Plesk-for-Linux-services-logs-and-configuration-files



It is also possible to check some logs from the Log Browser extension.

 

[Leta]

If you an admin on the server, I would recommend to check...

• Panel log: /var/log/plesk/panel.log
• Mail log: /var/log/maillog

(c) Plesk-for-Linux-services-logs-and-configuration-files



It is also possible to check some logs from the Log Browser extension.

The above paths do not exist on my end

The website is on a shared Windows hosting plan

How can I see all types of error logs in my case?

I have not received an email from Plesk about this website's SSL since 20th October

Now I cancelled this SSL and I issued a new one with the default email address this time