Issue Security advisor. Error trying to renew lets encrypt certificate

[SalvadorS]

Hello,

I have 2 servers, and in both I installed the lets encrypt certificate for the name of the server from the security advisor.

Now I am receiving this error in both servers:

====
Could not secure domains of xxx (login admin) with Let's Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:

<none>

The following domains have been secured without some of their Subject Alternative Names:

<none>

Could not renew Let's Encrypt certificates for xxx (login admin). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let's Encrypt certificates has failed:

* 'Lets Encrypt certificate' [days to expire: 27]
[-] name.server.com

Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/r-i0JTwzJ2K_4ljAsNtCWcadcfKOnqL_8knJPmI5cr
Details:
Type: urn:acme:error:unknownHost
Status: 400
Detail: No valid IP addresses found for name.server.com

The following Let's Encrypt certificates have been renewed without some of their Subject Alternative Names:

<none>


Legend:
[+] This domain is secure. The domain's SSL/TLS certificate from Let's Encrypt has been issued/renewed.
[-] This domain is not secure. Either the domain's SSL/TLS certificate from Let's Encrypt could not be issued/renewed or the domain name was excluded from the certificate. Renew the certificate manually or request a new one to secure this domain.
===

Where name.server.com is the name of the server. The certificate is installed from then security advisor and it is not listed in the lets encryption extension.

Any ideas?

 

[Bitpalast]

Is name.server.com publicly accessible and registered in DNS, so that it can resolve to the IP address of your server when opened on the Internet?

 

[SalvadorS]

Yes, it is. I received again the mails, one per day per server...

 

[Bitpalast]

You are probably missing something, for example the DNS entry for an alias or maybe the "www" subdomain of the domain name. The error message says that "some" alternate names are causing the error. The certificate itself is present, but some of the subdomains or aliases you are trying to equip with it are inaccessible for the Let's Encrypt domain validation. Either they are missing the DNS entry or they don't have web space that can be accessed so that the validation files cannot be written or read.

 

[SalvadorS]

I have this error also in a server which don't have any certs (and don't have any domains) only the control panel cert ( to access to https://name.domain.com:8443) and this cert is installed with the security advisor tool...

 

[mustafauysal]

Hi,

this may caused by recent incident: Regarding ACME TLS-SNI and Shared Hosting Infrastructure

 

[Dx3webs]

the other gotcha is that you must not have any code that hides / blocks . folders ie hidden folders as this is where certbot tries to store and read verification files.

 

[Dx3webs]

what ever you call your server ie its hostname MUST resolve back to that server?

 

[SalvadorS]

I create a subscription with the name of the server, to assure there is a valid IP address configured and still receiving the error... I don't understand it... Nobody has this error when you set a lets encrypt certificate for the name on the server with the security advisor?

 

[Dennis Oppelt]

Hi
I am new at this

but
I have a question:
I see now that under "security advisor" if I secure a domain, it by default, uses the new Symantes secure starter SSL

and for the old domains, I have an option to 'upgrade' to the symantec free ssl

the old lets-encrypt certs would auto renew on their own

will these new symantec ones do the same?
I do not see a setting for renewing them, other than reinstalling them

thanks

 

[SalvadorS]

Nobody has this problem? Only me?

I don't know if I can delete the cert (from the security advisor it is impossible) and generate a new one...

 

[Dennis Oppelt]

yes you can go to your domain and look under hjosting properties, and uncheck the 'secure using SSL' box
then I think you can go back to security advisor and re secure it
you can also click onm lets encrpt or ssl i dont know which
and you will see an instal button where you can renew it

I think

 

[SalvadorS]

It´s not a SSL for a domain, its for the name of the server.

 

[Dennis Oppelt]

what? when you secure a Domain name in security advisor
you get a symantec SSL secure starter certificate for that domain
now maybe its for the server and its a wild card for all domains
but in security advisor, seperate domains can be secured and you get a green flag saying its secured with symantec SSL

so

are you saying that this new symantec certificate plesk is using is for all domains

is it renewed automatically?

thanks