• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Lets Encrypt Not Successful over port 80

D

Daiv

New Pleskian
Server operating system version
Ubuntu 22.04.4 LTS
Plesk version and microupdate number
18.0.59 Update #2
Hello, the letsencrypt cert for one of my domains failed to renew automatically and I cannot renew it manually. I get the following error in plesk when I try to assign the certificate:

Could not issue an SSL/TLS certificate for domain.com
Details
Could not issue a Let's Encrypt SSL/TLS certificate for domain.com. Authorization for the domain failed.

Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/333728792367.

Details:

Type: urn:ietf:params:acme:error:dns

Status: 400

Detail: 52.71.31.112: Fetching https://www.domain.com/.well-known/acme-challenge/IMcVNgKNtrCm6fdzjyyHISKCcVh3HaG_2D2NzVVKblE: DNS problem: server failure at resolver looking up A for www.domain.com; DNS problem: server failure at resolver looking up AAAA for www.domain.com
Click to expand...

I used let's debug and it gave me the following response:

ANotWorking
ERROR
domain.com has an A (IPv4) record (52.71.31.112) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with domain.com/52.71.31.112: Get "https://www.domain.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://domain.com/.well-known/acme-challenge/letsdebug-test (using initial IP 52.71.31.112)
@0ms: Dialing 52.71.31.112
@205ms: Server response: HTTP 301 Moved Permanently
@205ms: Received redirect to https://www.domain.com/.well-known/acme-challenge/letsdebug-test
@10001ms: Experienced error: context deadline exceeded
Click to expand...

IssueFromLetsEncrypt
ERROR
A test authorization for domain.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
52.71.31.112: Fetching https://www.domain.com/.well-known/acme-challenge/_O2_EUGrR_rahzBUa6NVQNf6iGJD4XURtKfV31Qe02k: DNS problem: server failure at resolver looking up A for www.domain.com; DNS problem: server failure at resolver looking up AAAA for www.domain.com
Click to expand...
 
To me it looks like the errors from Let Debug seems to contradict each other. Specifying a DNS/lookup issue, but at the same the successfully accessing the URL and getting redirected. Kinda confusing.

Did the domain got transferred or did DNS records got pointed to another IP? If that's the case I would suggest to wait till the TTL has expired and try again later.
 
Hello and thank you for the reply. This is indeed confusing. No changes of any kind were made. The autorenew failed and I became aware of the issue only because of the browser privacy error message. We reviewed the DNS records and could not find anything. We were able to issue a cert for the domain without www - just domain.com , but the www.domain.com is still giving the error. I searched the forums here and elsewhere and I have not found this issue specifically. For example, the "similar threads" listed below are all getting a different error message. I just hope this doesn't happen as my other domains start to auto renw.
 
I'm facing the same issue and nothing has changed on our end either. Only recent update is Plesk Obsidian upgraded to new version. Please post a resolution if/when you have one. Thanks!
 
Hello. We found a solution: The issue was resolved by renaming the .well_known folder in /httpdocs for the website, and reissuing the certificate again.

I do not know why this worked or what caused it in the first place. If I can figure out anything in that regard, I will include that here. But at least those who have a similar problem can try this solution.
 
OK, here is some additional info:

Normally this happens when SEO HTTP to HTTPS redirection is turned on in the first attempt.
In this case just turning it off didn't help, because of that the whole .well_known folder was renamed.
For next domains, make sure that option is disabled in the first issue of the certificate and should be okay.
As reference:
https://support.plesk.com/hc/en-us/articles/12377318940055

I would mark this thread "resolved", but I can't see how that is done.
 
I do not believe that this is the correct solution, because by default Plesk does not store the token inside the website, but in an aliased virtual directory that can also be accessed if the website cannot. Plus, the DNS check clearly shows a DNS error. It might work "accidentally" for some attempts, but not reliably.
 
I don't know what I can say. That was the solution from my trouble ticket on support.plesk.com - I seem to be stuck between the "plesk guru" and the official Plesk Technical Support Engineer. What would you advise I do? Because I certainly don't know more than either of you guys. And he had full access to the server.
 
You must log in or register to reply here.

Similar threads

Nicola Urbinati
Resolved Let'Encrypt SSL not issued
Replies
2
Views
2K
Nicola Urbinati
Nicola Urbinati
Nextgen-Networks
Issue Lets Encrypt - error in certificate renew process
2
Replies
21
Views
2K
Peter Debik
P
K
Question Renewing Let's Encrypt with external DNS servers
Replies
5
Views
190
klowet
K
hansitheking
Resolved Let's Encrypt: Timeout during connect (likely firewall problem)
Replies
4
Views
5K
trialotto
T
M
Issue plesk server certificate does NOT include an ID which matches the server name
Replies
9
Views
2K
learning_curve
learning_curve
Back
Top