• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Lets Encrypt Not Successful over port 80

Daiv

New Pleskian
Server operating system version
Ubuntu 22.04.4 LTS
Plesk version and microupdate number
18.0.59 Update #2
Hello, the letsencrypt cert for one of my domains failed to renew automatically and I cannot renew it manually. I get the following error in plesk when I try to assign the certificate:

Could not issue an SSL/TLS certificate for domain.com
Details
Could not issue a Let's Encrypt SSL/TLS certificate for domain.com. Authorization for the domain failed.

Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/333728792367.

Details:

Type: urn:ietf:params:acme:error:dns

Status: 400

Detail: 52.71.31.112: Fetching https://www.domain.com/.well-known/acme-challenge/IMcVNgKNtrCm6fdzjyyHISKCcVh3HaG_2D2NzVVKblE: DNS problem: server failure at resolver looking up A for www.domain.com; DNS problem: server failure at resolver looking up AAAA for www.domain.com

I used let's debug and it gave me the following response:

ANotWorking
ERROR
domain.com has an A (IPv4) record (52.71.31.112) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with domain.com/52.71.31.112: Get "https://www.domain.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://domain.com/.well-known/acme-challenge/letsdebug-test (using initial IP 52.71.31.112)
@0ms: Dialing 52.71.31.112
@205ms: Server response: HTTP 301 Moved Permanently
@205ms: Received redirect to https://www.domain.com/.well-known/acme-challenge/letsdebug-test
@10001ms: Experienced error: context deadline exceeded

IssueFromLetsEncrypt
ERROR
A test authorization for domain.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
52.71.31.112: Fetching https://www.domain.com/.well-known/acme-challenge/_O2_EUGrR_rahzBUa6NVQNf6iGJD4XURtKfV31Qe02k: DNS problem: server failure at resolver looking up A for www.domain.com; DNS problem: server failure at resolver looking up AAAA for www.domain.com
 
To me it looks like the errors from Let Debug seems to contradict each other. Specifying a DNS/lookup issue, but at the same the successfully accessing the URL and getting redirected. Kinda confusing.

Did the domain got transferred or did DNS records got pointed to another IP? If that's the case I would suggest to wait till the TTL has expired and try again later.
 
Hello and thank you for the reply. This is indeed confusing. No changes of any kind were made. The autorenew failed and I became aware of the issue only because of the browser privacy error message. We reviewed the DNS records and could not find anything. We were able to issue a cert for the domain without www - just domain.com , but the www.domain.com is still giving the error. I searched the forums here and elsewhere and I have not found this issue specifically. For example, the "similar threads" listed below are all getting a different error message. I just hope this doesn't happen as my other domains start to auto renw.
 
I'm facing the same issue and nothing has changed on our end either. Only recent update is Plesk Obsidian upgraded to new version. Please post a resolution if/when you have one. Thanks!
 
Hello. We found a solution: The issue was resolved by renaming the .well_known folder in /httpdocs for the website, and reissuing the certificate again.

I do not know why this worked or what caused it in the first place. If I can figure out anything in that regard, I will include that here. But at least those who have a similar problem can try this solution.
 
OK, here is some additional info:

Normally this happens when SEO HTTP to HTTPS redirection is turned on in the first attempt.
In this case just turning it off didn't help, because of that the whole .well_known folder was renamed.
For next domains, make sure that option is disabled in the first issue of the certificate and should be okay.
As reference:
https://support.plesk.com/hc/en-us/articles/12377318940055

I would mark this thread "resolved", but I can't see how that is done.
 
I do not believe that this is the correct solution, because by default Plesk does not store the token inside the website, but in an aliased virtual directory that can also be accessed if the website cannot. Plus, the DNS check clearly shows a DNS error. It might work "accidentally" for some attempts, but not reliably.
 
I don't know what I can say. That was the solution from my trouble ticket on support.plesk.com - I seem to be stuck between the "plesk guru" and the official Plesk Technical Support Engineer. What would you advise I do? Because I certainly don't know more than either of you guys. And he had full access to the server.
 
Back
Top