Symptoms
-
It is not possible to issue or renew the Let’s Encrypt certificate in Plesk > Domains > example.com > SSL/TLS Certificates. The following error appears in Plesk UI or may be sent to the user’s mailbox:
Could not renew Let's Encrypt certificates for Administrator (login admin). Please log in to Plesk and renew the certificates listed below manually. Renewal of the following Let's Encrypt certificates has failed:
'Lets Encrypt example.com' [days to expire: 20]
[-] *.example.com
[-] example.com
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/1234567890.
Details:
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: During secondary validation: Incorrect TXT record "hfNt4EcIBmAIrTBR2O7w_eUMhNSfce-ymmZP7IdYChU" found at _acme-challenge.example.com -
The domain is using a 3rd party DNS provider and separate nameservers are responsible for
example.com:# dig +short NS example.com
ns1.example.com.
ns2.example.com.# dig +short ns1.example.com
203.0.113.2# dig +short ns2.example.com
203.0.113.3
Cause
The domain’s nameservers contain different TXT DNS records’ values:
# dig +short TXT _acme-challenge.example.com @203.0.113.2
“Yd_C08z8Lu7f3tBPL-3ePtczWllQqAiVhS2PvM_FpuA”
# dig +short TXT _acme-challenge.example.com @203.0.113.3
“hfNt4EcIBmAIrTBR2O7w_eUMhNSfce-ymmZP7IdYChU”
During the challenge, Let’s Encrypt randomly chooses one of the nameservers and checks if there is a matching TXT DNS record there. In case the server with the IP address ‘203.0.113.3 ‘ is randomly chosen by Let’s Encrypt and this server doesn’t contain the required TXT DNS record, validation fails and the certificate will not be issued.
Resolution
-
Install the wildcard certificate for
example.comin Domains > example.com > SSL/TLS Certificates.Note: When the instruction regarding adding a DNS record is provided by the SSL It! extension, add this record to all nameservers
Additional Information
Alternatively, use the Plesk DNS server so the TXT DNS record is added automatically: How to use DNS with a Plesk server?
