Symptoms
- Plesk Obsidian running on Windows Server operating system
-
When attempting to install a Let's Encrypt certificate for a domain, the operation fails with the error message:
The authorization token is not available at http://example.com/.well-known/acme-challenge/347mK_j_YTyKfxB_tYSdcmzvlze0N5OJKcluSRxc9yY
...
Detail: 203.0.113.2: Invalid response from http://example.com/.well-known/acme-challenge/347mK_j_YTyKfxB_tYSdcmzvlze0N5OJKcluSRxc9yY: 403 - The Require SSL/TLS option is enabled in Plesk > Domains > example.com > Hosting & DNS > IIS Settings
- The HSTS option is enabled in Plesk > Domains > example.com > SSL/TLS Certificates
Cause
When the Require SSL/TLS or HSTS option is enabled for a domain in its IIS Settings, connections to URLs starting with HTTP instead of HTTPS are forbidden by the web server, however the Let's Encrypt servers can only use the HTTP-01 challenge while establishing a connection via port 80 (HTTP protocol) initially, which can be confirmed on the following page of the Let's Encrypt documentation:
HTTP-01 challenge | Challenge Types - Let's Encrypt
Due to this, using the Require SSL/TLS option in IIS for domains that use Let's Encrypt SSL certificates is not recommended, because the type of requests the Let's Encrypt servers make to your Plesk server is set entirely on the end of Let's Encrypt.
Resolution
-
Go to Domains > example.com > Hosting & DNS > IIS Settings > Directory Security Settings.
-
Disable Require SSL/TLS option and save the changes.
-
Reissue the certificate at Domains > example.com > SSL/TLS certificates.
-
Enable Require SSL/TLS option at Domains > example.com > IIS Settings > Directory Security Settings if required.
Additional information
HTTP-01 challenge | Challenge Types - Let's Encrypt