Resolved Could not issue/renew Let`s Encrypt certificates for admin

[PeterKi]

Server operating system version

Ubuntu Linux 22.04.1 LTS

Plesk version and microupdate number

plesk obsidian 18.0.50u2 WebAdmin Edition

I frequently get messages from let's encrypt renewals like the one shown below.
When I check the expiration of my domain everything looks fine though.
My domain was already successfully renewed 9 days ago on March 6th and is shown to expire on June 4th.
There is nothing which shows an expiration in 21 days.
I also do not have a problem to access my domain with https and browsers show it as secured.

What makes plesk generating these messages?

Could not secure domains of admin (login admin) with Let`s Encrypt certificates. Please log in to Plesk and secure the domains listed below manually. Securing of the following domains has failed: <none> The following domains have been secured without some of their Subject Alternative Names: <none> Could not renew Let`s Encrypt certificates for admin (login admin). Please log in to Plesk and renew the certificates listed below manually. Renewal of the following Let`s Encrypt certificates has failed: ** 'Lets Encrypt mydomain.de' [days to expire: 21] ** [-] mydomain.de [-] webmail.mydomain.de [-] www.mydomain.de Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/210977840857. Details: Type: urn:ietf:params:acme:error:unauthorized Status: 403 Detail: xx.xxx.xxx.xxx: Invalid response from https://mydomain.de/.well-known/acme-challenge/sgyeD_3Zeg5kO5niibeItJP-dg6T5Py4M5UD7c6474I: 404 The following Let`s Encrypt certificates have been renewed without some of their Subject Alternative Names: <none>

 

[Peter Debik]

The reason is probably that in an older certificate an alternative name was included such as an alias that no longer exists on the server. Meanwhile a new cert has been issued, but the old one is still there.

Here is one approach how to find out more and eventally solve the issue:
1) Login to the console.
2) Escalate to root (su).
3) Start sqlite
sqlite3 /usr/local/psa/var/modules/sslit/sslit.sqlite3
4) Run
> select id,createdDate,state,params from Notification where params like 'mydomain.de' order by id desc limit 10;
From there I suggest to delete messages for mydomain.de from the notifications queue:
> delete from Notification where params like 'mydomain.de';
5) Exit sqlite
> .quit
6) Remove the existing certificate for mydomain.de by clicking the "Unassign certificate" on the SSL page.
7) On the console remove the SSL directory if it still exists after unassigning:
mv /usr/local/psa/var/modules/sslit/etc/live/mydomain.de/ ~/
8) Reissue/reinstall a certificate for mydomain.de

 

[PeterKi]

Thanks for the quick reply.
Alas, there is nothing neither in the Notification table nor in the PanelNotification table
When I wrote 'frequently' I didn't mean every day but every other week.

SELECT name FROM sqlite_schema WHERE type='table' ORDER BY name; Notification OrderAttribute Orders PanelNotification sqlite_sequence statisticsMeasurement version sqlite> select * from Notification ; sqlite> select * from PanelNotification ; sqlite>

 

[Peter Debik]

Are you sure that the mail is being sent from the server you are currently on? Could it be sent from another server where the domain was previously hosted?

 

[PeterKi]

Oops, you're right.
I hadn't thought of, that after my server migration email headers may look the same.
Looking at the mail source revealed that it was indeed from my old server, which is still in stand by without any domains.
Mea Culpa!

 

[Wrwebapps]

We have the same issue after our hosting was moved from Media Temple to GoDaddy. The messages we receive are consistent, but we are unable to determine how to secure the domains manually.

Could not secure domains of admin (login admin) with Let`s Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.

 

[Peter Debik]

@Wrwebapps What domains do you mean that you need to secure manually? Where is the error message that you have quoted shown? Could you please describe this in more detail? I suggest, too, to open a separate thread for it, because it does not seem to be the exact same issue that the owner of this thread explained.

 

[hello_world.c]

The reason is probably that in an older certificate an alternative name was included such as an alias that no longer exists on the server. Meanwhile a new cert has been issued, but the old one is still there.

Here is one approach how to find out more and eventally solve the issue:
[...]

I can't tell you how long I've been looking for a solution for this issue. This has been immensely helpful, Peter! I seem to have fixed several of our "broken" domains already using this procedure, at least the issue of a new certificate worked without manually setting the _acme_challenge DNS entry. Whether it truly works for the automatic renewals, too, I will see in a few months.