• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Let's encrypt certificate problem

Zoo3

Regular Pleskian
Last summer I used Let's encrypt as well as Plesk. I have encountered this problem three times since then.

"Could not issue a Let's Encrypt SSL/TLS certificate for DOMAIN" error.


Error: Could not issue a Let's Encrypt SSL/TLS certificate for MY-DOMAIN.

The authorization token is not available at https://MY-DOMAIN/.well-known/acme-challenge/GGGHHHIIIJJJKKK.
The token file '/MY-FULL-PATH/ROOT//.well-known/acme-challenge/GGGHHHIIIJJJKKK' is either unreadable or does not have the read permission.
To resolve the issue, correct the permissions on the token file to make it is possible to download it via the above URL.
See the related Knowledge Base article for details.

Details
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/AAABBBCCCDDDEEEFFF.

Details:
Type: urn:acme:error:unauthorized
Status: 403
Detail: Invalid response from http://MY-DOMAIN/.well-known/acme-challenge/GGGHHHIIIJJJKKK: "<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>"​


Since IPv6 can't be used under my contract, troubleshooting in the above error sentence couldn't be used.

The solution I found is as follows.
Delete error website certificate. Invalid use of SSL/TLS of website, erase additional directive. Once I update the website settings. And delete the .well-known directory. Then restore the setting again. Then install the certificate with Let's Encrypt module.

I asked my close friend this symptom. It was said that this was not a Let's Encrypt but a problem on Plesk side (or a problem with Let's Encrypt plugin in Plesk).

When I first encountered this problem, I didn't know the solution and broke the whole server. This type of problem is very scary.

Is there a way to prevent this authentication problem?

--
CentOS 7.3 / Plesk 17.0.17 update 42
 
Your close friend is wrong. This is neither a Plesk, nor Let's Encrypt issue. It is caused by an inaccessible .well-known directory through the web server. This again is normally caused by either permission errors, directory ownership errors on the parent directory or by rewrite rules that are redirecting all requests to ./well-known or its contents to a different location. It is a very common issue and occurs on bare bone / do-it-yourself-configured servers, too, that are for example using the certbot script.

In order for Let's Encrypt to operate properly you must make sure that the .well-known directory can be written to and read from by the web server. If you encounter the above mentioned error, this is not the case.
 
Thank you for reply.

Since I was writing permission in the error sentence, I attempted to change permission and ownership at the very beginning, but it was not able to solve as a result.
What owner and permission of the .well-known directory should be?
 
Just an elemental question: the domain is working on this server or is pointing to other?
This is a common problem when the domain is pointing to other ip/server and Let's encrypt trying to download the auth from a inexistent directory to authorize this request.

Best regards,
Horacio
 
Back
Top