Resolved Can not re issue Lets Encrypt SSL Certificat

[elChupete]

Server operating system version

Ubuntu 22.04

Plesk version and microupdate number

18.0.71 Update #2

Hi ,

My LE SSL Certificates are not being autorenewed. I get following error
Could not renew Let`s Encrypt certificates for admin (login admin). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let`s Encrypt certificates has failed:

** 'Lets Encrypt zilz.hamburg' [days to expire: 26] **
[-]


Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/1823654157/582469126971
Details:
Type: urn:ietfarams:acme:error:connection
Status: 400
Detail: 212.132.73.15: Fetching https://www.mydomain.com/.well-known/acme-challenge/gyFnutZ4Z6AHoPukt7ReBVgqd9Pkomcmu-0zKF_WKMU: Redirect loop detected

I had same issue 3 month ago but found workaround. Unfortunately I do not remember the workaround.

However I nailed down the issue to Plesk not giving access to .well-knowm/acme-challenge/... When I try to access via browser any file below, I get 403 forbidden error.

I tried to give access via http directive
<Directory "/var/www/vhosts/mydomain/httpdocs/mydomain/.well-known/acme-challenge/">
Options None
AllowOverride None
Require all granted
</Directory>

but still I do not get access. Any Ideas / help?

 

[Raul A.]

The Let's Encrypt error indicates you have a redirect loop.
If you can access https://www.mydomain.com/.well-known/acme-challenge/gyFnutZ4Z6AHoPukt7ReBVgqd9Pkomcmu-0zKF_WKMU Let's Encrypt will also be able to access it. Once an attempt failed the challenge file remains in place. Thus the above URL should load the challenge file.

The challenge URL works for me, both http:// and https://. Can you try to reissue the certificate?

 

[elChupete]

I can access the file both via http and https when URL is directly entered into the browser. I see the content of the file . But still, when I try to reissue the certificate, I get the redirect loop detected error

 

[Raul A.]

Interesting. Check the User-Agent used by the Let's Encrypt server. In the logs section of the website in Plesk, look for requests to /.well-known/. Please share the requests made while the certificate issue is attempted.

 

[elChupete]

I tried to reissue at 17:24 but the entries in the log section only show *acme* entries until 16:50

2025-09-14 16:25:13	GET /.well-known/acme-challenge/ HTTP/2.0	nginx SSL/TLS access
2025-09-14 16:25:13	97963#0: *7660 directory index of "/var/www/vhosts/default/htdocs/.well-known/acme-challenge/" is forbidden	nginx error
2025-09-14 16:28:27	GET /.well-known/acme-challenge/gyFnutZ4Z6AHoPukt7ReBVgqd9Pkomcmu-0zKF_WKMU HTTP/2.0	nginx SSL/TLS access
2025-09-14 16:30:24	GET /.well-known/acme-challenge/vW5wyzhGmsZoK2JsijkvX6zZiO4MsDbJUDhbHL3Cc5s HTTP/2.0	nginx SSL/TLS access
2025-09-14 16:30:38	GET /.well-known/acme-challenge/vW5wyzhGmsZoK2JsijkvX6zZiO4MsDbJUDhbHL3Cc5s HTTP/2.0	nginx SSL/TLS access
2025-09-14 16:31:27	GET /.well-known/acme-challenge/vW5wyzhGmsZoK2JsijkvX6zZiO4MsDbJUDhbHL3Cc5s HTTP/1.1	nginx access
2025-09-14 16:31:38	GET /.well-known/acme-challenge/vW5wyzhGmsZoK2JsijkvX6zZiO4MsDbJUDhbHL3Cc5s HTTP/2.0	nginx SSL/TLS access
2025-09-14 16:32:10	GET /.well-known/acme-challenge/vW5wyzhGmsZoK2JsijkvX6zZiO4MsDbJUDhbHL3Cc5s HTTP/1.1	nginx access
2025-09-14 16:32:10	GET /.well-known/acme-challenge/vW5wyzhGmsZoK2JsijkvX6zZiO4MsDbJUDhbHL3Cc5s HTTP/2.0	nginx SSL/TLS access
2025-09-14 16:43:08	GET /.well-known/acme-challenge/vW5wyzhGmsZoK2JsijkvX6zZiO4MsDbJUDhbHL3Cc5s HTTP/1.1	nginx access
2025-09-14 16:43:08	GET /.well-known/acme-challenge/vW5wyzhGmsZoK2JsijkvX6zZiO4MsDbJUDhbHL3Cc5s HTTP/2.0	nginx SSL/TLS access
2025-09-14 16:43:39	GET /.well-known/acme-challenge/vW5wyzhGmsZoK2JsijkvX6zZiO4MsDbJUDhbHL3Cc5s HTTP/1.1	nginx access
2025-09-14 16:46:35	GET /.well-known/acme-challenge/vW5wyzhGmsZoK2JsijkvX6zZiO4MsDbJUDhbHL3Cc5s HTTP/1.1	nginx access
2025-09-14 16:50:14	GET /.well-known/acme-challenge/gyFnutZ4Z6AHoPukt7ReBVgqd9Pkomcmu-0zKF_WKMU: HTTP/2.0	nginx SSL/TLS access
2025-09-14 16:50:14	192709#0: *7863 openat() "/var/www/vhosts/default/htdocs/.well-known/acme-challenge/gyFnutZ4Z6AHoPukt7ReBVgqd9Pkomcmu-0zKF_WKMU:" failed (2: No such file or directory)	nginx error
2025-09-14 16:50:16	GET /.well-known/acme-challenge/gyFnutZ4Z6AHoPukt7ReBVgqd9Pkomcmu-0zKF_WKMU HTTP/2.0	nginx SSL/TLS access

 

[Kaspar]

Try letsdebug.net to see if that gets you more details on why the certificate authorization might have failed.

 

[elChupete]

Thanks Guys for helping me

Letsdebug reports for http-01
AAAANotWorking
Error
www.zilz.hamburg has an AAAA (IPv6) record (2a02:247a:210:3f00::1) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
A timeout was experienced while communicating with www.zilz.hamburg/2a02:247a:210:3f00::1: Get "http://www.zilz.hamburg/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://www.zilz.hamburg/.well-known/acme-challenge/letsdebug-test (using initial IP 2a02:247a:210:3f00::1)
@0ms: Dialing 2a02:247a:210:3f00::1
@10000ms: Experienced error: context deadline exceeded

The IPv6 is wrong the correct one is 2a02:2479:2d:3700::1

This is also the IPv6 that is showing up in the Plex config as well as in my Serverhosting config and Domain config.

No idea where 2a02:247a:210:3f00::1 is coming from.

Which files should I check?

 

[Raul A.]

The domain DNS zone. Some registrars provide IPv6 by default in the hosted DNS zone. You changed only the A record while you still have AAAA records without having an IPv6 address on your server.

 

[elChupete]

The domain DNS zone. Some registrars provide IPv6 by default in the hosted DNS zone. You changed only the A record while you still have AAAA records without having an IPv6 address on your server.

OK, How do I fix it ?

 

[Raul A.]

Remove the AAAA records.

 

[Kaspar]

Maybe beter to change and update the AAAA (IPv6) DNS record(s) than to remove them.

 

[elChupete]

Remove or update will fix it, clear. But again, HOW do I do that? In Plesk? At my Server provider ?
If Plesk , wher and how ?

 

[elChupete]

In Plesk, all AAAA record show the correct IPv6

 

[elChupete]

Why is letsdebug saying that the IPv6 is 2a02:247a:210:3f00::1?

 

[elChupete]

Hi Guys,

Thanks for helping me. I found the issue

At my main domain is zilz.hamburg
This Domain had the correct AAAA record set at my domain hoster. But for subdomain www.zilz.hamburg the AAAA record was configured with the wrong IPv6 address.

Now after I corrected the setting, the reissuing work fine.