Could not request a Let’s Encrypt SSL/TLS certificate for example.com: website content loading from another server

Symptoms

• Unable to request a Let's Encrypt SSL/TLS certificate for example.com
• The domain of the website is using Cloudflare nameservers and the A record for the domain on the side of Cloudflare does not point to an IP address that is configured on the side of the Plesk server
• The error message that appears on the side of Plesk is similar to the following:

  Could not request a Let's Encrypt SSL/TLS certificate for example.com
  Go to http://example.com/.well-known/acme-challenge/9ddov7Veyd8koo4p7pX0qNYKaKKfvDDrRp4EklbvFpQ and сheck if the authorization token is available. If it is, try to request the certificate again. If the token is not available, there may be an issue with your DNS configuration.

• Let's Encrypt domain validation fails with an invalid response and HTTP status code 403
• The primary DNS zone of the domain is managed by Cloudflare, which is acting as a proxy for the domain

Cause

The issue is caused by a DNS configuration mismatch, because the DNS A records for example.com on the side of Cloudflare point to an IP address that is different from the Plesk server's IP addresses.

In order for Plesk to issue a Let's Encrypt SSL certificate for a domain, the domain for which this SSL certificate needs to be issued must load its website content from the Plesk server's IP address.

Resolution

1. Update DNS Records on Cloudflare:

   • Adjust the A record for example.com on the side of Cloudflare to point to the IP address of the Plesk server
   • This will allow the DNS validation for Let's Encrypt to succeed. Note that DNS record changes can take up to 48 hours to propagate globally.

2. Use Cloudflare's SSL/TLS Options:

   • Since Cloudflare is already being utilized, consider using their SSL/TLS options to secure the site.
   • Cloudflare provides its own SSL certificates, eliminating the need for Let's Encrypt certificates. Refer to Cloudflare's support or external articles for more information on this topic.

3. Purchase a Third-Party Certificate and install it manually for this domain:

   • Alternatively, consider purchasing a third-party SSL certificate that is valid for a longer period, such as one year.
   • This reduces the frequency of certificate renewals and eliminates the need for DNS validation challenges.

Note: Changing Cloudflare's proxy status for the domain's A records from Proxying to DNS Only during the certificate renewal process is a temporary workaround, but not a recommended long-term solution.

Additional information

How to set up Plesk, mail autodiscover and Cloudflare to work together properly?

What Is Cloudflare And How To Use it With Your Site?