Let’s encrypt fails if domain is configured with captcha: Your domain in Plesk is hosted on the IP address(es): 203.0.113.2 , but the DNS challenge used another IP address: 203.0.113.3.

Symptoms

• The domain is configured in CloudFlare and uses CloudFlare DNS;

• Let's Encrypt certificate cannot be issued/renewed with the following error:

  Your domain in Plesk is hosted on the IP address(es): 203.0.113.2 , but the DNS challenge used another IP address: 203.0.113.3.
  Please check the actual DNS zone of your domain and make sure that the IP addresses in the DNS zone and for the hosting are the same.

  ---

  Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com
  The example.com DNS zone contains an AAAA record, but the domain is not assigned an IPv6 address in Plesk.
  To resolve the issue, either assign an IPv6 address to example.com ("Websites & Domains" > "Web Hosting Access") or remove the AAAA record from the example.com DNS zone.
  See the related Knowledge Base article for details.
  Details
  Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/qxK-vAPtGYg3YOSEcgZNB7HBd-unn4oX3GLtZWSxVPA.
  Details:
  Type: urn:acme:error:unauthorized
  Status: 403

• (optional) The captcha is enabled for the domain.

Cause

The token file is not accessible due to Cloudflare's cache.

Resolution

Note: In order to prevent such issues, exclude the token file path http://example.com/.well-known/acme-challenge/* according to the instruction from Cloudflare: How do I exclude a specific URL from Cloudflare's caching?

1. Clear the Cloudflare's cache using steps from Cloudflare's article: How do I purge my cache?
2. (In case captcha is enabled) Disable captcha for the domain.
3. Issue/renew Let's encrypt certificate: Log in to Plesk > Domains > example.com > SSL/TLS Certificates > Install/Reissue Certificate.
4. (In case captcha was enabled) Enable captcha for the domain back.