• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Permission problems with Let's encrypt Extenstion

hansitheking

Basic Pleskian
At the moment I can't renew certificates with the Let´s encrypt Plesk extension. I will always receive this Error:

Code:
Error: Let's Encrypt SSL certificate installation failed: Challenge marked as invalid. Details: Could not connect to example.com

on requesting a new certificate for a domain the following error can be found in the panel.log

Code:
PHP Warning: mkdir(): Permission denied; File: /opt/psa/admin/plib/modules/letsencrypt/library/Deploy/CertBotStorage.php, Line: 67

Let's Encrypt Extension: 2.1.0-48
Plesk: Version 17.5.3 Update #6

I already removed and reinstalled Let's Encrypt Extension as described in this post Upgrade Let's Encrypt failing, Plesk 17.5.3

Any Ideas how to solve this?
 
Is the domain configured as a parked domain or redirected domain? Are rewrite rules redirecting requests? Is the domain actually routing to the host where you are trying to install the certificate? Is the domain accessible through a browser?
 
Is the domain configured as a parked domain or redirected domain?
No, just a normal subscription with one active domain.

Is the domain actually routing to the host where you are trying to install the certificate?
Yes all the domains (I tested with several) are normal accessible through the browser and all DNS-Settings are ok.

Are rewrite rules redirecting requests?
There are no rewrite rules or redirects in the Apache Config. Even the redirect in hosting settings (Permanent SEO-safe 301 redirect from HTTP to HTTPS ) is disabled (which is not necessary)

But I found the Solution (IPv6 Interface was broken!)
The behaviour of the problem was sometimes it was failing sometimes not, it was a bit 50/50. This seems strange to me. Therefore I checked the network connection to my server. The IPv4 connection was OK but the IPv6 connection was broken, after fixing the IPv6 connection the Issue was gone!

Thank you very much for your questions Peter you forced me to double check everything :)
 
Hi,

I am having the same problems. Great that you found a solution Hans. However for me it's not working.
IPv6 is disabled a my server. Also for some domains the cert-requests works, for others not.

Problems both with a normal subscription, as for a alias (on a other subscription).
All DNS are pointed correctly.
No rewrite rules or redirecting requests as far as I know.

Thanks in advance for the help.

Let's Encrypt 2.1.0 / Version 17.0.17 Update #26
 
Last edited:
Hi Peter, Thanks for your reply. My error is the same as in the first post of this thread:
Error: Let's Encrypt SSL certificate installation failed: Challenge marked as invalid. Details: Could not connect to example.com
 
I recently had the similar issue. I uninstall and re-install the Let Encrypt extention fixed the issue.

Not sure it has to do anything with recent update of this extention.
 
It could be caused by false permissions in the virtual host structure. You can try these steps to correct permissions.

1) Verify that the subscription directory /var/www/vhosts/SUBSCRIPTION-NAME is owned by the subscription user, belongs to group psaserv and has exactly permissions rwxr-xr-x.

2) Verify that your domain directory that descends from your subscription directory /var/www/vhosts/SUBSCRIPTION-NAME/DOMAIN-NAME (or /httpdocs) is owned by the subscription user, belongs to group psaserv and has at least permissions rwxr-x--- or less secure.

3) Run
# /usr/local/psa/bin/repair --restore-vhosts-permissions
to ensure that all virtual host permissions are set to the values they ought to have in a default Plesk installation.

4) Try cert creation again.

I would like to add that I have only seen similar issues when any type of rewriting took place.
 
Thanks for your help. Still no result though :(

1) Result of: ls -la /var/www/vhosts/
drwx--x--- 5 internetfit psaserv 49 May 24 17:33 internetfitness.nl

2) Result of: ls -la /var/www/vhosts/internetfitness.nl/
total 8
drwx--x--- 5 internetfit psaserv 49 May 24 17:33 .
drwxr-xr-x. 77 root root 4096 May 24 17:33 ..
drwxr-xr-x 2 internetfit psaserv 4096 May 24 17:33 error_docs
drwxr-x--- 5 internetfit psaserv 72 May 24 22:45 httpdocs
drwx------ 2 internetfit root 22 May 24 17:33 logs

3) Ran the command.
4) Error: Let's Encrypt SSL certificate installation failed: Challenge marked as invalid. Details: Could not connect to internetfitness.nl

(Image of DNS Settings..)
 
Does the IPv6 address match exactly what is configured in the domain's subscription setting, including the last digit? Is IPv6 enabled for the domain at all?

My guess is that the web space is not accessible by IPv6 for some reason. This can be that the server is configured incorrectly or that the subscription is only activated for IPv4 but not for IPv6. Would it be possible to remove the IPv6 entry from your DNS record or would that cause any issues with services you need on IPv6? If it is possible for you I recommend to remove it, then wait a few hours, then test the cert creation again.
 
That's the fix! Thanks! Just activated IPv6 on the domain and the cert came through.
On a other domain, I delete the AAAA record and that cert now also came through.

Thanks a lot! :D
 
Back
Top