• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Daily email "Could not issue/renew Let`s Encrypt certificates for adminmame"

B

brownbag

Basic Pleskian
Since I set up my plesk server, I've been getting a daily email, "Could not issue/renew Let's Encrypt certificates for Gavin" (Gavin is my name).
The basic content is as follows:
Could not secure domains of Gavin (login admin) with Let`s Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:

* 'compleit.com'
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/2742710018.
Details:
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: Invalid response from Zuver Domains [112.140.180.152]: "<!DOCTYPE html>\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head>\r\n\r\n <meta http-equiv=\"x-ua-compatible\" content=\"IE=edge\""

The following domains have been secured without some of their Subject Alternative Names:

<none>

Could not renew Let`s Encrypt certificates for Gavin (login admin). Please log in to Plesk and renew the certificates listed below manually.

To resolve this issue, it has been suggested to me that I need to set up a wildcard certificate. So I opened Let's encrypt, selected my domain and checked the box to ‘Issue a wildcard SSL/TLS certificate’ box. Then in my domain registry, I created a DNS TXT record for _acme-challenge.compleit.com with the value equaling the record name. Then i wanted 10 minutes for this DNS record to propogate and pressed Continue. But then I got an error, "Could not issue a Let's encrypt SSL/TLS certificate for compleit.com. Authorization for the domain failed".
I have three questions:
1. Am I not waiting long enough?
2. Do I just need to keep persisting or have I made a mistake somewhere?
3. What is the impact of this 'issue'?
 

Attachments

  • DNSRECORD.png
    DNSRECORD.png
    8.4 KB · Views: 29
  • let's encrypt.jpg
    let's encrypt.jpg
    50.7 KB · Views: 33
  • lets encrypt-error.png
    lets encrypt-error.png
    19.5 KB · Views: 26
Short answer: The IP of your domain "compleit.com.au" does not point to your Plesk server. The IP of your domain currently is 112.140.180.152, which belongs to a domain parking service.

You can't install a Let's Encrypt certificate on your server when the domain does not point to the IP of your Plesk server.

Solution: Check with the registrar of your domain and change the DNS records so that your domain points to the IP address of your server. Wait for DNS propagation and then try again to issue the certificate.
 
Monty said:
Short answer: The IP of your domain "compleit.com.au" does not point to your Plesk server. The IP of your domain currently is 112.140.180.152, which belongs to a domain parking service.

You can't install a Let's Encrypt certificate on your server when the domain does not point to the IP of your Plesk server.

Solution: Check with the registrar of your domain and change the DNS records so that your domain points to the IP address of your server. Wait for DNS propagation and then try again to issue the certificate.
Click to expand...

Yes, compleit.com.au is not fully set up yet, but this issue is with compleit.com. I can't see anything in the email or in what I've done that has anything to do with compleit.com.au. If you can see that, can you please point me to it? Thanks.
 
I saw compleit.com.au in your pasted error message: "Invalid response from Zuver Domains [112.140.180.152] " (move your mouse over "Zuver Domains").
But I must confess I didn't properly look at your screenshots, they show a different issue than the text in your pasted error message.

Anyway, let's focus on the screenshots: It's a DNS issue again. Your domain "compleit.com" is registered on the nameservers of "nameserver.net.au":

Code: 
# dig +short compleit.com NS
ns3.nameserver.net.au.
ns2.nameserver.net.au.
ns1.nameserver.net.au.

And there is no TXT record for _acme-challenge.compleit.com on those nameservers:
Code: 
# dig _acme-challenge.compleit.com TXT

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51268
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

However, when I query your Plesk nameserver directly I get the TXT record:

Code: 
# dig _acme-challenge.compleit.com TXT @compleit.com  

;; ANSWER SECTION:
_acme-challenge.compleit.com. 86400 IN  TXT     "sbAucR0OoVSMLG0MEI<redacted>"

Note: nsX.nameserver.net.au are external nameservers, so your DNS records inside Plesk do not have any effect on your domain.

So, either you register your domain to your own nameserver (the one from your Plesk server) at your registrar or you enter the TXT record manually at nameserver.net.au for your domain.

There is a nice KB article that explains exactly this: Cannot issue wildcard Let's Encrypt certificate in Plesk: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com
 
You must log in or register to reply here.

Similar threads

D
Question Renewing Let's encrypt automatically
Replies
3
Views
549
Kaspar
K
M
Resolved Lets Encrypt not issuing certs for subdomains
Replies
2
Views
335
mendip_discovery
M
L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
469
Leta
L
Azurel
Resolved Mail for "Let`s Encrypt certificates for ***** have been issued/renewed" missing?
Replies
2
Views
696
Azurel
Azurel
Bitpalast
Resolved SSL create and renew errors on random domains / possibly a Let's Encrypt issue, but maybe only in combination with Plesk
Replies
11
Views
1K
Change Maker
C
Back
Top