• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Lets Encrypt renewal - wildcard seems to want to use http challenge

T

TomBoB

Silver Pleskian
Server operating system version
AlmaLinux 8.8 latest updates
Plesk version and microupdate number
Version 18.0.56 Update #1
Need help to pinpoint a Lets Encrypt renewal issue.

Please have a look at the image.

Trying to renew using a wildcard cert. Wildcard was not used prior.

Plesk in charge of DNS. A and AAAA records for website and mail are correct and point at the Plesk servers public IPv4 / IPv6. The new CloudFlare extension syncs DNS records (none proxied) to CF name server. That part also works. Domain registry points at the CF name servers.

In my understanding Plesk shoudl create an _acme record for the cert, which is then added to Plesk DNS, which then syncs it to CF name server. That creating of the _acme doesn't happen. Instead it seems to be using the HTTP challenge.

I cannot figure out where the issue may lie. Seem to be missing something.

To me the error message indicates it is still using HTTP challenge instead of DNS challenge to validate.

Any help greatly appreciated.
 

Attachments

  • lets encrypt renewal issue.jpg
    lets encrypt renewal issue.jpg
    186.2 KB · Views: 12
The HTTP challenge is still required, next to the DNS challenge, for issuing (and renewing) wildcard certificates. If I am not mistaken (but I might be wrong on this) the HTTP challenge is performed frist, followed by the DNS challenge.
 
SOLUTION - without finding the actual root cause.

Quadruple checked that the name resolution works, for both IPv4 and IPv6. Fine.
Quadruple checked that the token file can be opened in a browser. Fine.
Quadruple checked permissions. Fine.
Checked all the config files I could find. Apparently Fine. Cross-checked with other servers as well.

Removed and reinstalled Lets Enrypt and SSL IT. Same problem.

All other servers, no issue. Just on this one specific server, this problem happens. To all domains. Including the server cert for the FQDN of the server.

Running out of ideas, I eventually decided to completely restart the server.
That did the trick !! All domains can get certs again. Both via HTTP and via DNS challenge.

Can't tell the root cause. But some service deep inside Plesk seemed to have hung itself.
 
You must log in or register to reply here.

Similar threads

K
Question Renewing Let's Encrypt with external DNS servers
Replies
5
Views
1K
klowet
K
D
Question Renewing Let's encrypt automatically
Replies
3
Views
495
Kaspar
K
D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
2K
Daiv
D
Bitpalast
Resolved SSL create and renew errors on random domains / possibly a Let's Encrypt issue, but maybe only in combination with Plesk
Replies
11
Views
1K
Change Maker
C
D
Question Let's Encrypt Certificate Request does not use DNS Challenge
Replies
2
Views
1K
DevMoritz
D
Back
Top