Knowledge Base

Let’s Encrypt notifications are sent to Plesk Administrator for an already renewed certificate

 
applications extensionsdebugdomain namedomainsemail

Symptoms

  • The following notifications keep coming to the Plesk administrator's email even though the certificate for example.com has already been renewed:

Could not secure domains of Administrator (login admin) with Let's Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:
<none>
The following domains have been secured without some of their Subject Alternative Names:
<none>
Could not renew Let's Encrypt certificates for Administrator (login admin). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let's Encrypt certificates has failed:
'Lets Encrypt certificate' [days to expire: 12] [-] example.com
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/5422301042.
Details:
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: Invalid response from https://example.com/.well-known/acme-challenge/QnlaiM9v7msdH9BnqWzyzWx234wJTQjX-7fRot-TqEw [203.0.113.2]: "<html>rn<head><title>404 Not Found</title></head>rn<body>rn<center><h1>404 Not Found</h1></center>rn<hr><center>nginx</center>rn"
The following Let's Encrypt certificates have been renewed without some of their Subject Alternative Names:
<none>
Legend:
[+] This domain is secure. The domain's SSL/TLS certificate from Let's Encrypt has been issued/renewed.
[-] This domain is not secure. Either the domain's SSL/TLS certificate from Let's Encrypt could not be issued/renewed or the domain name was excluded from the certificate. Renew the certificate manually or request a new one to secure this domain.

  • The acme-challenge token mentioned in the message does not exist in the common challenge directory:

# ls -la /var/www/vhosts/default/htdocs/.well-known/acme-challenge/ | grep QnlaiM9v7msdH9BnqWzyzWx234wJTQjX-7fRot-TqEw
<no output>

  • With debug mode enabled, it is possible to see that the certificate renewal was skipped in /var/log/plesk/panel.log:

DEBUG [extension/sslit] Skip certificate renewal for domain 'example.com': the certificate will expire in more than 30 days at YYYY-MM-DD

  • There was a previous issue with certificate renewal that has been recently resolved;

Cause

The certificate has been recently renewed, but notifications for previous failed renewal attempts can come with a delay. This is an SSL It! extension bug #EXTSSLIT-1922.

Resolution

Notifications for failed renewals can be delayed for 24 hours. No action is required.
If notifications keep coming after a while, check the email headers to make sure that they are not coming from an old server.

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

© 2024 WebPros International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of WebPros International GmbH.

Managed with love with Plesk WP Toolkit