Let’s Encrypt notifications are sent to Plesk Administrator for an already renewed certificate

Dmitry Bystrov

12 months ago

Symptoms

The following notifications keep coming to the Plesk administrator's email even though the certificate for example.com has already been renewed:

Could not secure domains of Administrator (login admin) with Let's Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:
<none>
The following domains have been secured without some of their Subject Alternative Names:
<none>
Could not renew Let's Encrypt certificates for Administrator (login admin). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let's Encrypt certificates has failed:
'Lets Encrypt certificate' [days to expire: 12] [-] example.com
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/5422301042.
Details:
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: Invalid response from https://example.com/.well-known/acme-challenge/QnlaiM9v7msdH9BnqWzyzWx234wJTQjX-7fRot-TqEw [203.0.113.2]: "<html>rn<head><title>404 Not Found</title></head>rn<body>rn<center><h1>404 Not Found</h1></center>rn<hr><center>nginx</center>rn"
The following Let's Encrypt certificates have been renewed without some of their Subject Alternative Names:
<none>
Legend:
[+] This domain is secure. The domain's SSL/TLS certificate from Let's Encrypt has been issued/renewed.
[-] This domain is not secure. Either the domain's SSL/TLS certificate from Let's Encrypt could not be issued/renewed or the domain name was excluded from the certificate. Renew the certificate manually or request a new one to secure this domain.

The acme-challenge token mentioned in the message does not exist in the common challenge directory:

# ls -la /var/www/vhosts/default/htdocs/.well-known/acme-challenge/ | grep QnlaiM9v7msdH9BnqWzyzWx234wJTQjX-7fRot-TqEw
<no output>

With debug mode enabled, it is possible to see that the certificate renewal was skipped in /var/log/plesk/panel.log:

DEBUG [extension/sslit] Skip certificate renewal for domain 'example.com': the certificate will expire in more than 30 days at YYYY-MM-DD

There was a previous issue with certificate renewal that has been recently resolved;

Cause

The certificate has been recently renewed, but notifications for previous failed renewal attempts can come with a delay. This is an SSL It! extension bug #EXTSSLIT-1922.

Resolution

Notifications for failed renewals can be delayed for 24 hours. No action is required.
If notifications keep coming after a while, check the email headers to make sure that they are not coming from an old server.

0 Shares