Question Incorrect TXT record "f-SabDKKcvWsjfiCn08yEbfdWiafvFo6" found at _acme-challenge.mydomain.com - What am I doing wrong?

[carlsson]

Server operating system version

Ubuntu 20.04.6 LTS

Plesk version and microupdate number

18.0.59 Update #2

Every now and then I get this message "Incorrect TXT record "f-SabDKKcvWsjfiCn08yEbfdWiafvFo6" found at _acme-challenge.mydomain.com".
Even though I have issued a Let's encrypt certificate recently, and I know that I haven't altered the _acme-challenge record after that.

The only way I know of that fixes this is to re-issue a new certificate. Feels kinda unnecessary though, but I can't find any way in Plesk that gives me the TXT record that it wants.

Is it only me?
What am I doing wrong?

 

[scsa20]

The ACME challenge can change depending on how it's being issued and if it's a renewal.

If you're using the DNS service built into Plesk, the ACM challenge will update accordingly automatically but it's still possible that it's still waiting on the DNS changes but should auto fix itself.

If you've got a wildcard cert issued on a domain and you want to use apply a certificate to a sub domain, instead of issuing a new certificate, edit the hosting setting and select your wildcard certificate instead.

 

[carlsson]

Thanks for the input.

I really want to use the built in DNS, but I'm afraid of only having one DNS. Maybe another topic, but should I?

 

[scsa20]

If you're using an external DNS service like Cloudflare or DNSMadeEasy or even your registrars, then the ACME challenge will fail until you update the record yourself manually.

Also if you want to use your own, most registrars will force you to have at least 2 DNS name servers (usually can get away using the same IP address), and you don't have to if you don't want to, it can get kinda annoying to get the name servers set up correctly on other registrars for it to work correctly. Just know that when it comes to renewing the certificate that uses the DNS challenge that it might fail until you update the challenge key with the new one.

 

[carlsson]

This still bugs me and I'm going crazy…! I am spending a lot of time renewing my certificates manually, something that should be done automatically. What am I doing wrong?!

I currently have 17 domains that I need to update manually.
Ie, I get an email from Plesk saying that it "Could not secure domains…"
Then I get an email every other day or so until I renew it.
I have 20 other domains that work as they should.
I have web and email on Plesk, while I have the name server at my registrar (loopia.se).

When I get these emails I am doing the following procedure:

1. Plesk > Domains > thedomain > SSL/TLS Certificates
2. Issue a Certificate (I have been experimenting between Reissue and Unassign, but haven't seen any difference).
3. Copy the Text string.
4. Login to the registrar.
5. Edit the _acme-challenge TXT record.
6. Pasting the Text string.
7. Saving the changes.
8. Wait a few minutes.
9. Go to Plesk and press Continue (if I have waited long enough it says that the cert is published and everything is okay. Sometimes though I haven't waited long enough and need to redo the entire process).

What am I doing wrong? Why doesn't the auto renewal work?

 

[scsa20]

As I've mention before, if the DNS is being managed by the registrar (or any other third party DNS services like Cloudflare or DNSMadeEasy) then you will need to update the records manually. If you do not want to update the records manually and you want everything to be done automatically for wildcard certificates then you must have the DNS managed by the Plesk server which means you need to go into the registrar, configure glue record (or records if your registrar requires 2 glue records), update the name servers to match your glue records, and do all your DNS editing through plesk directly.

Since right now you are managing the DNS through your registrar you will need to continue manually updating the acme-challenge as needed.

 

[carlsson]

As I've mention before, if the DNS is being managed by the registrar (or any other third party DNS services like Cloudflare or DNSMadeEasy) then you will need to update the records manually. If you do not want to update the records manually and you want everything to be done automatically for wildcard certificates then you must have the DNS managed by the Plesk server which means you need to go into the registrar, configure glue record (or records if your registrar requires 2 glue records), update the name servers to match your glue records, and do all your DNS editing through plesk directly.

Since right now you are managing the DNS through your registrar you will need to continue manually updating the acme-challenge as needed.

Thanks for the input, but this isn't correct. I am managing all my domains at the registrar, and more than 50% of them work with automatic cert updates.
(When I get the time I will move the DNS to Plesk, but for now I just want this to work so I can focus on other things.)

Thanks though, any more ideas?

 

[scsa20]

For those that is automatic renewing just fine, you sure those are not using wildcard certs? Because if you're securing a single domain without a wild card they will do a HTTP check instead of DNS check which is easier and more automatic. DNS check will generally trigger a new acme-challenge key and can and will rotate which cannot be done automatically if the DNS is not managed by your server via Plesk and instead managed by either the registrar or third party DNS service. This is just just the cold hard facts. Plesk has no control rather a new acme-challenge key is provided for DNS verification since it utilizes a different service to provide that info which gets it from LetsEncrypt.

Trust me since I have to go through every so often as well since I use cloudflare for my DNS services, for the domains I do have setup where it's directly managed by my server's DNS through Plesk those are all done automatically for me while the ones I have in cloudflare I need to update the challenge key for it to complete the renewal.

 

[carlsson]

I stand corrected.
I went through all the domains and realized that those that work automatically, don't have webmail secured, and thus the wildcard wasn't checked. It checks automatically when you check the webmail option, but one can actually uncheck it. See screenshot.
I wonder, what happens if I uncheck the wildcard domain…? I realize there may be problem with FTP and other subdomains, but most of my clients don't use that. But maybe there will be problem with DKIM etc?

 

[scsa20]

DKIM has nothing to do with certificates for emails. DKIM is more for verifying that the email came from your server. If you don't have a certificate assigned to the mail domain (IMAP, POP, SMTP) then that simply means there won't be a certificate assigned to those 3 services and so if the user is using an email client such as Outlook or Thunderbird, they will be getting a certificate error. You generally want to have that secured too but if email services isn't turned on for that domain then you don't need to have it enabled.