Symptoms
-
It is not possible to issue or renew the Let's Encrypt certificate in Plesk > Domains > example.com > SSL/TLS Certificates. The following error appears in Plesk UI or may be sent to the user's mailbox:
Could not renew Let's Encrypt certificates for Administrator (login admin). Please log in to Plesk and renew the certificates listed below manually. Renewal of the following Let's Encrypt certificates has failed:
'Lets Encrypt example.com' [days to expire: 20]
[-] *.example.com
[-] example.com
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/1234567890.
Details:
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: During secondary validation: Incorrect TXT record "hfNt4EcIBmAIrTBR2O7w_eUMhNSfce-ymmZP7IdYChU" found at _acme-challenge.example.com -
The domain is using a 3rd party DNS provider and several nameservers are responsible for
example.com:
For instance:
# dig +short NS example.com
ns1.example.com.
ns2.example.com.
# dig +short ns1.example.com
203.0.113.2
# dig +short ns2.example.com
203.0.113.3
Cause
The domain's nameservers contain different TXT DNS records' values:
# dig +short TXT _acme-challenge.example.com @203.0.113.2
"Yd_C08z8Lu7f3tBPL-3ePtczWllQqAiVhS2PvM_FpuA"
# dig +short TXT _acme-challenge.example.com @203.0.113.3
"hfNt4EcIBmAIrTBR2O7w_eUMhNSfce-ymmZP7IdYChU"
During the challenge, Let's Encrypt randomly chooses one of the nameservers and checks if there is a matching TXT DNS record there. In case the server with the IP address '203.0.113.3 ' is randomly chosen by Let's Encrypt and this server doesn't contain the required TXT DNS record, validation fails and the certificate will not be issued.
Resolution
-
Install the wildcard certificate for
example.comin Domains > example.com > SSL/TLS Certificates. -
When the instruction on how to add a DNS record on the external DNS side is provided by the SSL It! extension, update this record to all nameservers.
Note: Alternatively, use Plesk DNS server so the TXT DNS record is added/updated automatically.