• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Input Let's Encrypt false positive 403 response when used with certain e-mail addresses

Bitpalast

Bitpalast

Plesk addicted!
Plesk Guru
We found that Let's Encrypt delivers false "403" responses when trying to create a certificate, although the web server delivers the token with a 200 OK code, the token can be retrieved by a browser, DNS is set correctly and propagated all through the internet. Nevertheless for one customer it was impossible to create a Let's Encrypt certificate. We always got the "403" response and the notice, that the token does not match the challenge.

This error message is wrong. The true reason for the failure was the e-mail address that was used as the notification e-mail address. It's structure was
[email protected]
We do not know why the specific e-mail address of the customer has caused Let's Encrypt to deny validation of the certificate request and to respond with a "Status: 403", but when we used a different e-mail address as the notification address upon certificate creation, the certificate could be created without any issues.
 
Thank you Peter.
I could not reproduce the problem: I used [email protected] address - the certificate was issued. Maybe something else provoked an error, but when using a new email, a registration was created anew and the problem got rid of itself? Although it sounds weird. Maybe there were some other features? What version of LE, Plesk, OS?
 
I've tested this half a day long. I know it's weird, because the error message does not refer to the mail address, but rather a typical inaccessibility issue of the token file. But that was surely accessible. I had tested this through different subscriptions, different domains and subdomains and all have worked but the one when that specific mail address was used. The mail address however is a normal gmail mail address. I cannot imagine why this is happening either, but wanted to report it here, because someone else might run into a similar weird issue with it.
 
I found that this very strange error might be linked to the new ECDSA option for Let's Encrypt certificates in Plesk. It seems that the software cannot handle this certificate type fully correctly.

Do not use
Code: 
[ext-letsencrypt]
key-algorithm = ECDSA
ecdsa-curve-name = prime256v1 ; can be omitted
in panel.ini for the time being.
 
You must log in or register to reply here.

Similar threads

carlsson
Issue Mail on Plesk, web on other provider, how do I create a correct SSL?
Replies
2
Views
148
carlsson
carlsson
K
Resolved How to update the e-mail address which is used for Let's encrypt?
Replies
9
Views
2K
King555
K
R
Issue Problem let´s Encrypt and DNS AAAA. IP6
Replies
1
Views
1K
scsa20
scsa20
F
Issue Add Let's Encrypt certificate for e-mail (DNS not hosted on Plesk)
Replies
5
Views
1K
manos
M
andreios
Issue Auto renew of wildcard cert. fails because Plesk doesn't apply DNS template changes
Replies
8
Views
2K
andreios
andreios
Back
Top