Resolved Let's Encrypt unable to renew certificates

[Mezan]

Hello,

I am getting the following email from my Plesk server:

Could not issue/renew Let's Encrypt certificates

Could not secure domains of "my server" (login admin) with Let's Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:

<none>

The following domains have been secured without some of their Subject Alternative Names:

<none>

Could not renew Let's Encrypt certificates for "my server" (login admin). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let's Encrypt certificates has failed:

* 'Lets Encrypt xn--mydomai-b0a.domainext' [days to expire: 21]
[-] www.mydomaiñ.domainext
[-] mydomaiñ.domainext
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/<authcode>.
Details:
Type: urn:acme:error:connection
Status: 400
Detail: Fetching https://mydomaiñ.domainext.well-known/acme-challenge/<authcode>: Error getting validation data

The following Let's Encrypt certificates have been renewed without some of their Subject Alternative Names:

<none>

Legend:
[+] This domain is secure. The domain's SSL/TLS certificate from Let's Encrypt has been issued/renewed.
[-] This domain is not secure. Either the domain's SSL/TLS certificate from Let's Encrypt could not be issued/renewed or the domain name was excluded from the certificate. Renew the certificate manually or request a new one to secure this domain.

After going through the email, I noticed that in the request URL, https://mydomaiñ.domainext.well-known/acme-challenge/<authcode> the slash is missing between my domain and .well-known. This is causing the issue.

Please let me know how do I fix this. I am getting the error on all of my domains hosted on the Plesk server.

 

[Bitpalast]

Remove or correct all rewrite commands from .htaccess, then try again.

 

[MarkM]

Remove or correct all rewrite commands from .htaccess, then try again.

To add to this, I typically just rename the .htaccess, renew cert, and then rename it back.

 

[Bitpalast]

And here is another idea, that will make changes or renames to .htaccess unnecessary for future automated renewals:
Add this rewrite rule code to the beginning of your .htaccess file before any other rewrite rule:

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge [NC]
RewriteRule .* - [L]

This will instruct to webserver to stop processing further rules if a request to /.well-known/acme-challenge content is detected. In that case, it will deliver the token, in all other cases it will process the other rewrites of the file as needed for the application.

 

[MarkM]

^ this guy, always has to one up me

 

[Sergio Manzi]

Sorry if I jump into this, but I have a question which I think is well related.

I'm afraid I made a terrible idiocy: after generating my certificates (first time, I just switched to a widespread use of Let's Encrypt) I have... deleted all my
/well-known/acme-challenge directories as I understood those were used just for the initial certificates assignment, not for their renewal.

Now I'm afraid my assumption was wrong and I made something terribly stupid. Is this the case? What can I do?

Related: after switching to SSL/LE, I have also moved all my hostings from Nginix+Apache to Nginx-only. Some sites are Joomla sites and the routing for Joomla asks for all URI to be delivered to Joomla, so if I go to http://joomla.example.com/well-known/acme-challenge, i'm getting a 404 generated by Joomla. Should I put some rule in my nginx configuration to handle ^/.well-known/acme-challenge before it is dispatched to Joomla?

TIA, everybody!

 

[Sergio Manzi]

P.S.: the routing for Joomla is done in such a way that if a URI exists as a file or as a directory, it will be taken as it is, so, maybe it is just a matter of re-creating those directories... but... there was "stuff" in them that I don't have anymore...

 

[Mezan]

Thank you everyone for your help. I really appreciate it.

While I was waiting, I used Security Advisor and issued Symantec Basic SSL certificates. So I am good now. But the thing is I am still getting emails from the Let's Encrypt extension. How do I stop these emails? Those domains are now protected using Symantec Basic SSL certificates.

 

[G J Piper]

Thank you everyone for your help. I really appreciate it.

While I was waiting, I used Security Advisor and issued Symantec Basic SSL certificates. So I am good now. But the thing is I am still getting emails from the Let's Encrypt extension. How do I stop these emails? Those domains are now protected using Symantec Basic SSL certificates.

I believe the LE emails have instructions for disabling or opt-out of all LE emails in them.

You only want to go with this option if you have gone with a totally different service as you have done, though.

Also, the emails will stop eventually on their own, after all the warnings for past attempts at issuing certs has expired.