Resolved Let's Encrypt unclear renewal failure

[Bitpalast]

Onyx 17.0, CentOS 7.3, 64-Bit

Error message on certificate renewal of an add-on domain with web space:

[2017-04-28 15:30:06] ERR [extension/letsencrypt] Cannot renew certificate on domain DOMAIN-1.TLD with error: Challenge marked as invalid. Details: Could not connect to www.DOMAIN-2.TLD.well-known

Subscription is on domain "DOMAIN-1.TLD", an add-on domain is "DOMAIN-2.TLD". The "www" checkbox was set in Let's Encrypt, a valid, working certfificate exists for DOMAIN-2.TLD. The file permissions for subscription and add-on domain are the Plesk default permissions, the website is accessible. It is a Wordpress installation from the applications repository. The website is in "maintenance" mode.

Why is the renewal failing?

 

[UFHH01]

Hi Peter,

there is currently a "/" missing after the ...TLD , but I'm not yet sure why.

 

[Bitpalast]

So this means that currently no certificates can be renewed?

 

[UFHH01]

Sorry @Peter Debik ... I have to investigate the issue first and the root cause(s).

*Update*

Same issue is a currently open bug - report ( but for subdomains ) at: => Cannot renew certifcate because of wrong url · Issue #153 · plesk/letsencrypt-plesk · GitHub
I wonder why no one from Plesk responded there...

 

[Bitpalast]

Maybe it's for the site's "maintenance mode"? Maybe a rewrite issue?

 

[Bitpalast]

o.k., I have reported it here
SSL certificate renewal is failing for an add-on domain, slash missing from "/.well-known"
because this is urgent if it is a bug. It will cause hundreds of unhappy customers soon ...

 

[Bitpalast]

This issue was resolved. The customer has created a 301 redirect in her .htaccess file. The Let's Encrypt verification followed that redirect and failed to verify the domain. The certificate on that domain has been removed by us, because it makes no sense to have a cert on a redirect.