Forwarded to devs Lets Encrypt not creating/updating DNS record

[ViaHosting]

User name: ViaHosting

TITLE

Lets Encrypt not creating/updating DNS record

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

SO: Microsoft Windows Server 2019
Produto: Plesk Obsidian
Versão 18.0.27, última atualização em 15/05/2020 17:37

PROBLEM DESCRIPTION

The Lets Encrypt certificates hasn't renewed automatically.

When trying to renew manually, I got the following error:

Não foi possível emitir um certificado SSL/TLS para xtpo.com.
Detalhes
Não foi possível emitir um certificado Let's Encrypt SSL/TLS para xtpo.com. Autorização para o domínio falhou.
Detalhes
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/460xxxxxx.

Details:

Type: urn:ietfarams:acme:error:unauthorized

Status: 403

Detail: Incorrect TXT record "yTCcD5h3L2xg_R9SmJmbEqRbnXU36Z_o0rgnGVyo0qY" found at _acme-challenge.xtpo.com


After investigating, I discovery that the problem is Lets Encrypt module is not updating DNS record.
If there is a "_acme-challenge" record, it is not update.
It there isn't a record, it's not created.


The problem starts on Plesk Obsidian 18.0.26.
Tried to upgrade to version 18.0.27, but the problem remains.

The temporarily soluction is update the DNS record manually, before continue the renew process.


Complementing the information:
In Linux versions, the problem is a little bit different.
The certificate isn't renewed automatically also,
but it works if you try manually.

STEPS TO REPRODUCE

Try to renew a expired Lets Encrypt certificate

At this point the DNS record should be updated, but it isn't

Note that the value is different than the showed.


When you click at "Recarregar"

ACTUAL RESULT

Não foi possível emitir um certificado SSL/TLS para xtpo.com.
Detalhes
Não foi possível emitir um certificado Let's Encrypt SSL/TLS para xtpo.com. Autorização para o domínio falhou.
Detalhes
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/460xxxxxx.

Details:

Type: urn:ietfarams:acme:error:unauthorized

Status: 403

Detail: Incorrect TXT record "yTCcD5h3L2xg_R9SmJmbEqRbnXU36Z_o0rgnGVyo0qY" found at _acme-challenge.xtpo.com

EXPECTED RESULT

Certificate renewed

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[IgorG]

Thank you for report.
Developers can't reproduce the issue. Therefore I suggest you contact Plesk Support Team. Investigation directly on your server is required.

 

[IgorG]

BTW, do you use BIND DNS server?

 

[HoRo]

I think I have the very same problem. Funny enough, only with one of my two domains.

My .com Domain went through smoothly (on the same VPS with the same Plesk installation.

Now for my .com.br domain I am running into the following problem: First of all the process starts, but does not finish (with the .com domain I think I didn't even see this message below):
============================================
Started issuing a wildcard SSL/TLS certificate from Let's Encrypt for the domain psyma.com.br.

Please wait while Plesk finishes adding a DNS record with the following parameters:
Record type: TXT
Domain name: _acme-challenge.psyma.com.br
Record: sq3G3oXzhEBqjUZhhe4HwOV734_Jp17wJ8DHE0s_uIk

To terminate and delete the existing certificate request, click "Cancel".

Before clicking "Reload", make sure that the DNS record was added and can be resolved externally.
============================================

After a while I get this:
============================================
Could not issue an SSL/TLS certificate for psyma.com.br
Details
Could not issue a Let's Encrypt SSL/TLS certificate for ###.com.br. Authorization for the domain failed.

Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/6339608042.

Details:

Type: urn:ietfarams:acme:error:unauthorized

Status: 403

Detail: No TXT record found at _acme-challenge.###.com.br
============================================

I have tried various times and it did not work. However, before I moved servers, I had no problems with issuing a Let's encrypt certificate for this ###.com.br domain via Cpanel without a problem.

Anything I can do? I need to create a certificate. Any chance I can create the TXT that is missing myself? How and where to I put it?

 

[IgorG]

@HoRo TXT record for subdomain was not added to DNS zone of the main domain.

1. Go to Domains > one.example.com > SSL/TLS Certificates and click Install
2. When “Please add a DNS record with the following parameters” notification appears, copy the recommended TXT record details
3. Go to Domains > example.com > DNS Settings and add the DNS record with the specified parameters
4. Click Update to apply the DNS zone settings
5. Go to Domains > one.example.com > SSL/TLS Certificates and click Refresh.

 

[HoRo]

@HoRo TXT record for subdomain was not added to DNS zone of the main domain.

1. Go to Domains > one.example.com > SSL/TLS Certificates and click Install
2. When “Please add a DNS record with the following parameters” notification appears, copy the recommended TXT record details
3. Go to Domains > example.com > DNS Settings and add the DNS record with the specified parameters
4. Click Update to apply the DNS zone settings
5. Go to Domains > one.example.com > SSL/TLS Certificates and click Refresh.

Hi Igor, thank you very much! I will try this. However, in the meantime I also did some more digging and it might be a problem caused by registro.br, because they don't seem to resolve the domain 100% correctly. Need to dig a little bit more into this.

 

[HoRo]

Hi Igor,
I tried to do as you described and it worked more or less. there is now a file with _acme-challenge.###.com.br as TXT and with the code the system provided. However, it seems that the certificate still could not be issued.

I get this error message:
=========================================
Could not issue an SSL/TLS certificate for ####.com.br
Details
Could not issue a Let's Encrypt SSL/TLS certificate for ####.com.br. Authorization for the domain failed.

Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/6493586158.

Details:

Type: urn:ietfarams:acme:error:unauthorized

Status: 403

Detail: Incorrect TXT record "#########rUbWql8nz7yCeSo" found at _acme-challenge.###.com.br

==========================================
I am a little lost here. Seem
This is what my Plesk shows, but it seems like the TXT record at _acme-challenge.###.com.br is totally different than this code.

[Image deleted]

This is weird. I just created this entry and it finds an incorrect TXT record. I have recently moved this domain from a CPanel server to a Plesk server. Could it be that there is an old certificate floating around somewhere???

 

[HoRo]

OK, so I solved the problem. Don't ask me what the final problem was (I do not have enough experience with this stuff), but I managed to solve it the "Microsoft way". I deleted the site, created it again and there it was, the site was secured, without me asking for a new certificate.

 

[Vesta]

Hi,
Could you help, please?
I have this message:
Error: Could not issue a Let's Encrypt SSL/TLS certificate for server.mydomain.com. Authorization for the domain failed.
Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/11239105173.
Details:
Type: urn:ietfarams:acme:error:dns
Status: 400
Detail: No valid IP addresses found for server.mydomain.com
Where to add the acme and is it _acme-v02.api.letsencrypt.org/acme/authz-v3/11239105173 ?
Please advice!

 

[Azurel]

@Vesta I had yesterday a equal issue.

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/1123XXX95.
Details:
Type: urn:ietfarams:acme:error:dns
Status: 400
Detail: During secondary validation: DNS problem: query timed out looking up CAA for www.example.com

Maybe you must only renew it manually in plesk?

Could not renew Let`s Encrypt certificates for Name (login admin). Please log in to Plesk and renew the certificates listed below manually.

 

[Vesta]

@Vesta I had yesterday a equal issue.

You must only renew it manually in plesk.

Dear Azurel,
Thank you for your response!
Please stay with me and guide me on how to do that! I have no problems dealing with DNS for websites, but I am really struggling with DNS for Plesk! I have 5 domains, all secured properly and function as they should. But server.mydomain.com/IP:8443 is not secured.
How can I do it, please?

 

[elvisn]

OK, so I solved the problem. Don't ask me what the final problem was (I do not have enough experience with this stuff), but I managed to solve it the "Microsoft way". I deleted the site, created it again and there it was, the site was secured, without me asking for a new certificate.

solved my problem ..... after 2 weeks trying to fix it ... thanks