• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Renew Let's encrypt cert failed after added inbound rule for aws ec2

P

peteeeeeee

New Pleskian
Server operating system version
CentOS Linux 7.9.2009 (Core)
Plesk version and microupdate number
Plesk Obsidian Version 18.0.52
I am hosting Plesk in aws ec2, recently added some security group inbound rules, and let's encrypt seems cannot renew. As it is an internal site, so 80/443 port is not accessible to the public. May I know what should I do to renew the Let's Encrypt cert? What IP/ port should I configure in inbound rules?

I found the below error:
JSON: 
{
    "identifier": {
        "type": "dns",
        "value": "xxx.xxx.com"
    },
    "status": "invalid",
    "expires": "2023-06-14T03:42:33Z",
    "challenges": [
        {
            "type": "http-01",
            "status": "invalid",
            "error": {
                "type": "urn:ietf:params:acme:error:connection",
                "detail": "x.x.x.x: Fetching http://xxx.xxx.com/.well-known/acme-challenge/VFeX-xeaPhH-6BZA...: Timeout during connect (likely firewall problem)",
                "status": 400
            },
            "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/234622951847/g1GmzQ",
            "token": "VFeX-xeaPhH-6BZA...",
            "validationRecord": [
                {
                    "url": "http://xxx.xxx.com/.well-known/acme-challenge/VFeX-xeaPhH-6BZA...",
                    "hostname": "xxx.xxx.com",
                    "port": "80",
                    "addressesResolved": [
                        "x.x.x.x"
                    ],
                    "addressUsed": "x.x.x.x"
                }
            ],
            "validated": "2023-06-07T03:42:34Z"
        }
    ]
}
 
I am not perfectly sure, but think that the only workaround in such a case is to use a Wildcard certificate instead, because only for Wildcard certs Plesk supports DNS-01 challenge. For other certificates it only supports SAN-01 which requires port 80 to be open and the web server to respond on it. We have a feature request for DNS-01 challenge support that you can vote for if you believe that it is an important feature that needs to be added: Issue Let's Encrypt Wildcard (and others) certificate without main domain in SAN (use DNS-01 challenge only)
 
You must log in or register to reply here.

Similar threads

D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
337
Daiv
D
K
Question Renewing Let's Encrypt with external DNS servers
Replies
5
Views
176
klowet
K
Nextgen-Networks
Issue Lets Encrypt - error in certificate renew process
2
Replies
21
Views
2K
Peter Debik
P
M
Issue plesk server certificate does NOT include an ID which matches the server name
Replies
9
Views
2K
learning_curve
learning_curve
P
Resolved Could not issue/renew Let`s Encrypt certificates for admin
Replies
6
Views
2K
Peter Debik
P
Back
Top