Symptoms
-
Issuing or renewing a Let's Encrypt certificate fails with an error that is similar to the following:
DNS zone contains an AAAA record, but the domain is not assigned an IPv6 address in Plesk.
-
The affected domain is using Cloudflare nameservers
- The affected domain does not have an IPv6 assigned in Plesk > Domains > example.com > Hosting & DNS > Hosting > IP addresses section, because an IPv6 address is simply not assigned to the entire server at Plesk > Tools & Settings > IP addresses
-
An IPv6 can be resolved while checking against the site:
# dig AAAA example.com +short
2606:4700:3037::6818:70ce
2606:4700:3031::6818:71ce
Cause
The SSL/TLS encryption mode for the domains on the side of Cloudflare is set to something other than Full (strict) and this causes the Let's Encrypt validation process to fail, which is expected.
In order or things to work properly, the SSL/TLS encryption mode for any domains that use Cloudflare nameservers should always be set to Full (strict) when their website content resides on a Plesk server, because that way only the SSL that is installed on the Plesk server is used.
This is a confirmed point for improvement with ID #EXTSSLIT-2120
Progress related to it can be tracked via the Change Log for Plesk Obsidian
Resolution
In order to resolve the errors, you must change the SSL mode for the domain on the side of Cloudflare, which can be done by following these steps:
1. Log into your Cloudflare.com account
2. Go to example.com > SSL/TLS and change the SSL mode to Full (strict).