Issue Plesk 18.0.70 and Could not issue/renew Let's Encrypt certificates

[kristobal1969]

Server operating system version

Ubuntu 22.04.5 LTS

Plesk version and microupdate number

Plesk Obsidian 18.0.70 Update #2

Hello,
Since the upgrade to plesk 18.0.70 (with Update #2), I have messages from plesk on all my domains everyday though the renew is not for now but for july or august and even with domains whose ssl has been renewed yesterday (24 june 2025)
here is a message :

​

Could not secure domains of Guillot FGA (login ****) with Let`s Encrypt certificates. Please log in to Plesk and secure the domains listed below manually. Securing of the following domains has failed: ** 'fgamenagement.fr' ** Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/2019333767/541581285921 Details: Type: urn:ietfarams:acme:error:dns Status: 400 Detail: DNS problem: NXDOMAIN looking up A for mail.fgamenagement.fr - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for mail.fgamenagement.fr - check that a DNS record exists for this domain The following domains have been secured without some of their Subject Alternative Names: <none> Could not renew Let`s Encrypt certificates for Guillot FGA (login ****). Please log in to Plesk and renew the certificates listed below manually. Renewal of the following Let`s Encrypt certificates has failed: <none> The following Let`s Encrypt certificates have been renewed without some of their Subject Alternative Names: <none> Legend: [+] This domain is secure. The domain's SSL/TLS certificate from Let`s Encrypt has been issued/renewed. [-] This domain is not secure. Either the domain's SSL/TLS certificate from Let`s Encrypt could not be issued/renewed or the domain name was excluded from the certificate. Renew the certificate manually or request a new one to secure this domain.​

Do you knwo what is wrong ?
Regards
Kris

 

[afuego]

You need to add A record for mail.fgamenagement.fr pointed to your server IP address

 

[kristobal1969]

I do not think it is the problem because the information is already in the DNS and it worked well before upgrading to Plesk 18.0.70.

Since I reissued the certificate with "Secure the wildcard domain (including www and webmail)" I have no more messages. May be the certificate just needed to be manually reinstalled in order to work properly. May be the wildcard has no implication but as it is more complex to install, I guess it is safer anyway.

I hope my experience will help people that have the same problem. I find it strange that not anybody has posted this issue here.

 

[Adrian_13]

I do not think it is the problem because the information is already in the DNS and it worked well before upgrading to Plesk 18.0.70.

Since I reissued the certificate with "Secure the wildcard domain (including www and webmail)" I have no more messages. May be the certificate just needed to be manually reinstalled in order to work properly. May be the wildcard has no implication but as it is more complex to install, I guess it is safer anyway.

I hope my experience will help people that have the same problem. I find it strange that not anybody has posted this issue here.

We have the same Issue here, you are not alone.

 

[Adrian_13]

We have the same Issue here, you are not alone.

Not exactly the same but very similar.
The TXT Record for auth not updated in DNS by plesk, so the renew fails.

 

[kristobal1969]

What is the message exactly ?
As I wrote, reissuing the certificate (with wildcard at least and of course installing the information for let's encrypt in the external DNS and waiting for propagation before validating the certificate in Plesk) worked for me for all my domains. It can be something similar to this :

_acme-challenge.azcommunication.fr.

500

TXT

"O7niuzwo4zerA0is9bO7C4guiNqrk4a-hYg2Kimj4tk"

 

[Adrian_13]

What is the message exactly ?
As I wrote, reissuing the certificate (with wildcard at least and of course installing the information for let's encrypt in the external DNS and waiting for propagation before validating the certificate in Plesk) worked for me for all my domains. It can be something similar to this :

_acme-challenge.azcommunication.fr.

500

TXT

"O7niuzwo4zerA0is9bO7C4guiNqrk4a-hYg2Kimj4tk"

ould not secure domains of Max Mustermann (login example) with Let`s Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:

<none>

The following domains have been secured without some of their Subject Alternative Names:

<none>

Could not renew Let`s Encrypt certificates for Max Mustermann (login example). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let`s Encrypt certificates has failed:

** 'Lets Encrypt example.xyz' [days to expire: 16] **
[-] *.example.xyz
[-] example.xyz

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/XXXX/YYYY
Details:
Type: urn:ietfarams:acme:error:unauthorized
Status: 403
Detail: Incorrect TXT record "5iLXXXXXXXXXXXXXXXXXXXXXXXXX" found at _acme-challenge.example.xyz

The following Let`s Encrypt certificates have been renewed without some of their Subject Alternative Names:

<none>


Legend:
[+] This domain is secure. The domain's SSL/TLS certificate from Let`s Encrypt has been issued/renewed.
[-] This domain is not secure. Either the domain's SSL/TLS certificate from Let`s Encrypt could not be issued/renewed or the domain name was excluded from the certificate. Renew the certificate manually or request a new one to secure this domain


In the past this worked fine.
The DNS record shows, that is the key from the last successful renew.

 

[kristobal1969]

Have you installed the new generated txt record in your external DNS ? Not the ones in Plesk but the one at your registrar ?

 

[Adrian_13]

Have you installed the new generated txt record in your external DNS ? Not the ones in Plesk but the one at your registrar ?

The DNS-Zone is managed by Plesk, so Plesk is the only place where I can change this record.

 

[Alfonso Uritec]

We're facing somehow similar problems with Obisidian 18.0.71 in windows , this problem has been going on for some months.
In our case we find that suddendly it has renewed the example.com certificate but not the one for www.example.com and now the page shows a certificate error.
We've even tried to enable the "Keep websites secure" checkbox for all the domains, but when the certificate hasn't been renewed we see that the checkbox now is unchecked.
At the moment we're running an automatic scan of all the domains every morning to find out which ones have been incorrectly renewed and then we login to plesk, check the "Keep websites secure" for the www. option and then it's automatically corrected. Some times I've tried to manually renew the certificate to speed up things, and in that case sometimes I also get an error stating that it hasn't been possible to renew it (it might state error 400 IRC), but usually the second time it works properly.
So we're sure that in our case it's a problem in (Plesk/the SSL Extension) because it forgets to renew the certificate properly, it's not due to DNS entries.

 

[BuzzLightBurger]

Some per-requisites I've seen re Plesk and Let's Encrypt..

If your server has both ipv4 and ipv6 addresses, LE will use the ipv6 so ensure all AAAA records are created in addition to any ipv4 A records.
If your existing SSL does not include www (or a wildcard) then ensure the preferred domain setting (Hosting Settings) is not using www.domain.tld (use domain.tld).

As long as the correct domain is loaded and not rewritten by the proxy (matching both the existing and soon to be issued SSL certificate), your A and AAAA records are in place and you've checked the TXT record is resolvable (check using an online tool) there should be no reason LE would be unable to issue a renewal cert automatically.

I've had this issue myself and it was due to ipv6 not reaching my server.

If all of the above is correct and it still doesn't work, check you can reach the server via its ipv6 address. (as this is what LE will be trying)