Knowledge Base

Let’s Encrypt certificate installation/renewal fails for a domain in Plesk: Incorrect TXT record found at _acme-challenge.example.com

 
applications extensionsdnsdomainshttpsip

Symptoms

  • It is not possible to issue or renew the Let’s Encrypt certificate in Plesk > Domains > example.com > SSL/TLS Certificates. The following error appears in Plesk UI or may be sent to the user’s mailbox:

    Could not renew Let's Encrypt certificates for Administrator (login admin). Please log in to Plesk and renew the certificates listed below manually. Renewal of the following Let's Encrypt certificates has failed:
    'Lets Encrypt example.com' [days to expire: 20]
    [-] *.example.com
    [-] example.com
    Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/1234567890.
    Details:
    Type: urn:ietf:params:acme:error:unauthorized
    Status: 403
    Detail: During secondary validation: Incorrect TXT record "hfNt4EcIBmAIrTBR2O7w_eUMhNSfce-ymmZP7IdYChU" found at _acme-challenge.example.com

  • The domain is using a 3rd party DNS provider and separate nameservers are responsible for example.com:

    # dig +short NS example.com
    ns1.example.com.
    ns2.example.com.

    # dig +short ns1.example.com
    203.0.113.2

    # dig +short ns2.example.com
    203.0.113.3

Cause

The domain’s nameservers contain different TXT DNS records’ values:

# dig +short TXT _acme-challenge.example.com @203.0.113.2
“Yd_C08z8Lu7f3tBPL-3ePtczWllQqAiVhS2PvM_FpuA”
# dig +short TXT _acme-challenge.example.com @203.0.113.3
“hfNt4EcIBmAIrTBR2O7w_eUMhNSfce-ymmZP7IdYChU”

During the challenge, Let’s Encrypt randomly chooses one of the nameservers and checks if there is a matching TXT DNS record there. In case the server with the IP address ‘203.0.113.3 ‘ is randomly chosen by Let’s Encrypt and this server doesn’t contain the required TXT DNS record, validation fails and the certificate will not be issued.

Resolution

  1. Log into Plesk.

  2. Install the wildcard certificate for example.com in Domains > example.com > SSL/TLS Certificates.

    Note: When the instruction regarding adding a DNS record is provided by the SSL It! extension, add this record to all nameservers

 

Additional Information

Alternatively, use the Plesk DNS server so the TXT DNS record is added automatically: How to use DNS with a Plesk server?

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2023 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.

Managed with love with Plesk WP Toolkit

Plesk uses LiveChat system (3rd party).

By proceeding below, I hereby agree to use LiveChat as an external third party technology. This may involve a transfer of my personal data (e.g. IP Address) to third parties in- or outside of Europe. For more information, please see our Privacy Policy.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt