• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Installing LetsEncrypt certificate for forward hosting fails initially

Using Plesk Obsidian 18.0.28 Update 3.
The changelog for SSL It! 1.5.0 "17 July 2020" says:
"Domains with the “Forwarding” hosting type can now be secured via SSL It! with certificates from Let’s Encrypt. The feature works in Plesk Obsidian for Linux with the Let’s Encrypt extension version 2.11 and later."

Adding a new domain to a subscription
Setting this domain as forwarding hosting
Activate SSL support in hosting settings
Requesting a letsencrypt certificate will fail with "Token not available"
http://<domain>/.well-known/acme-challenge/WkPHmm1bB8llHJDrSZk9C3v9GDqLH2SNwkjYJkSbsSY

Looking in the config file in /etc/apache2/plesk.conf.d/forwarding
i see a "RedirectPermanent / ...."
and some Alias / Location stuff for letsencrypt.

Clicking the token link forwards me to the destination domain, seems forwarding always happens.

Now if you look in the apache2 docs, you read "Redirect directives take precedence over Alias and ScriptAlias directives"


Then I replaced the RedirectPermanent lines with
RedirectMatch Permanent "^(/(?!\.well-known/acme-challenge/).*)" <traget>
and suddenly the new certificate was installed!

Very strange: After installing the letsencrypt certificate successfully for the one single time, the forwarding_http.conf file gets rebuilt with
RedirectPermanent statements, but then reissuing the certificate seems to work ?!?!
 
Works for me after "plesk repair web" for this particular domain.
Before repair the config-file contains no exemps for the acme-challenges. plesk web repair-tool added this parameters to config-file successfully.
 
I just tried that .. no changes to conf-files.

in the .conf-file for the domain in /etc/apache2/plesk.conf.d/forwarding I have a line
RedirectPermanent / "<destination>"
and below
#extension letsencrypt begin
Alias /.well-known/acme-challenge "/var/www/vhosts/default/htdocs/.well-known/acme-challenge"


the docs for apache 2.4 mod_alias state:
Order of Processing
First, all Redirects are processed before Aliases are processed, and therefore a request that matches a Redirect or RedirectMatch will never have Aliases applied.


This is exactly what I experience ....
 
I just tried that .. no changes to conf-files.

in the .conf-file for the domain in /etc/apache2/plesk.conf.d/forwarding I have a line
RedirectPermanent / "<destination>"
and below
#extension letsencrypt begin
Alias /.well-known/acme-challenge "/var/www/vhosts/default/htdocs/.well-known/acme-challenge"


the docs for apache 2.4 mod_alias state:
Order of Processing
First, all Redirects are processed before Aliases are processed, and therefore a request that matches a Redirect or RedirectMatch will never have Aliases applied.


This is exactly what I experience ....

My config looks same as you state.

It is working like a charm.

Code:
 RedirectPermanent / "<----TARGET URL---->"

        #extension letsencrypt begin
        Alias /.well-known/acme-challenge "/var/www/vhosts/default/htdocs/.well-known/acme-challenge"

        <Location /.well-known/acme-challenge/>
                # Require all granted
                Order Deny,Allow
                Allow from all
                Satisfy any
        </Location>

        <LocationMatch "^/.well-known/acme-challenge/(.*/|)\.">
                # Require all denied
                Order Allow,Deny
                Deny from all
        </LocationMatch>
        #extension letsencrypt end
 
I have the same issue. Lets Encrypt validation fails (when using file verification). cURL confirms.

Code:
# curl http://X.com/.well-known/acme-challenge/y0mtafXXVNQ0CXE6bw9HBATpBhtRV0LSm1ut35v-9l4
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://redirected.to/site/.well-known/acme-challenge/y0mtafXXVNQ0CXE6bw9HBATpBhtRV0LSm1ut35v-9l4">here</a>.</p>
<hr>
<address>Apache Server at X.com Port 80</address>
</body></html>

Vhost configuration for the domain is:

Code:
<VirtualHost x.y.z.a:80 >
  ServerName "x.com"
  ServerAlias "www.x.com"
  ServerAlias "ipv4.x.com"

  <IfModule mod_ssl.c>
    SSLEngine off
  </IfModule>

  RedirectPermanent / "https://redirected.to/site/"

  #extension letsencrypt begin
  Alias /.well-known/acme-challenge "/var/www/vhosts/default/htdocs/.well-known/acme-challenge"

  <Location /.well-known/acme-challenge/>
    # Require all granted
    Order Deny,Allow
    Allow from all
    Satisfy any
  </Location>

  <LocationMatch "^/.well-known/acme-challenge/(.*/|)\.">
    # Require all denied
    Order Allow,Deny
    Deny from all
  </LocationMatch>
  #extension letsencrypt end

  #extension sslit begin

  #extension sslit end

</VirtualHost>

Tried rebuilding configuration files, doesn't matter. Generates the same output.
When I comment out the RedirectPermanent line the validation succeeds. But obviously there is no redirect anymore.
 
The Bug is still existing!!!

on Apache 2.4 "RedirectPermanent" happens first and so the lets-encrypt token can never be accessed.

"Token for authorization is not available at http://<orig-domainname>/.well-known/acme-challenge/GQ-WLfkqqWGbQLIySyLUPSkpj8yIOiA7srok65XSwjs"
... and also https://<orig-domainname>/.well-known/acme-challenge/GQ-WLfkqqWGbQLIySyLUPSkpj8yIOiA7srok65XSwjs


Excluding the auth-token from redirecting fixes the problem:
change (2 times)
RedirectPermanent / "<target>"
to
RedirectMatch Permanent "^(/(?!\.well-known/acme-challenge/).*)" "<traget>"


This problem is now open for more than half a year !!! C'mon plesk, please fix it!
 
Last edited:
Back
Top