• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Renew Let's encrypt cert failed after added inbound rule for aws ec2

P

peteeeeeee

New Pleskian
Server operating system version
CentOS Linux 7.9.2009 (Core)
Plesk version and microupdate number
Plesk Obsidian Version 18.0.52
I am hosting Plesk in aws ec2, recently added some security group inbound rules, and let's encrypt seems cannot renew. As it is an internal site, so 80/443 port is not accessible to the public. May I know what should I do to renew the Let's Encrypt cert? What IP/ port should I configure in inbound rules?

I found the below error:
JSON: 
{
    "identifier": {
        "type": "dns",
        "value": "xxx.xxx.com"
    },
    "status": "invalid",
    "expires": "2023-06-14T03:42:33Z",
    "challenges": [
        {
            "type": "http-01",
            "status": "invalid",
            "error": {
                "type": "urn:ietf:params:acme:error:connection",
                "detail": "x.x.x.x: Fetching http://xxx.xxx.com/.well-known/acme-challenge/VFeX-xeaPhH-6BZA...: Timeout during connect (likely firewall problem)",
                "status": 400
            },
            "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/234622951847/g1GmzQ",
            "token": "VFeX-xeaPhH-6BZA...",
            "validationRecord": [
                {
                    "url": "http://xxx.xxx.com/.well-known/acme-challenge/VFeX-xeaPhH-6BZA...",
                    "hostname": "xxx.xxx.com",
                    "port": "80",
                    "addressesResolved": [
                        "x.x.x.x"
                    ],
                    "addressUsed": "x.x.x.x"
                }
            ],
            "validated": "2023-06-07T03:42:34Z"
        }
    ]
}
 
I am not perfectly sure, but think that the only workaround in such a case is to use a Wildcard certificate instead, because only for Wildcard certs Plesk supports DNS-01 challenge. For other certificates it only supports SAN-01 which requires port 80 to be open and the web server to respond on it. We have a feature request for DNS-01 challenge support that you can vote for if you believe that it is an important feature that needs to be added: Issue Let's Encrypt Wildcard (and others) certificate without main domain in SAN (use DNS-01 challenge only)
 
You must log in or register to reply here.

Similar threads

L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
372
Leta
L
D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
2K
Daiv
D
Nextgen-Networks
Issue Lets Encrypt - error in certificate renew process
2
Replies
21
Views
4K
Peter Debik
P
P
Resolved Could not issue/renew Let`s Encrypt certificates for admin
Replies
6
Views
3K
Peter Debik
P
hansitheking
Resolved Let's Encrypt: Timeout during connect (likely firewall problem)
Replies
4
Views
10K
trialotto
T
Back
Top