Cannot Enable Let's Encrypt free certificate using plesk

FirasOmar · January 23, 2024, 10:50am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: casemaster.ps and refugeechronicles.org

I ran this command: nslookup -typle=txt _acme-challenge.casemaster.ps and nslookup -typle=txt _acme-challenge.refugeechronicles.org

It produced this output:
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
_acme-challenge.casemaster.ps canonical name = casemaster.ps
casemaster.ps text =

    "KWEXeo9UZqqNUqUk6emQC_J7-dYLHiGiCgfDuyKJv7M"

and for the second domain , this output: >
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
_acme-challenge.refugeechronicles.org canonical name = refugeechronicles.org
refugeechronicles.org text =

    "_acme-challenge.refugeechronicles.org=fHVdPYA4mqCDoGlUM0rBUsvTNBHl0RD1SC1QMA0if8M"

refugeechronicles.org text =

    "google-site-verification=oOA6IIDLYcjyoWInTzbnzzwtnE4p7YnjiOCzLKPXc4Q"

My web server is (include version):

The operating system my web server runs on is (include version): ubonto 22.04 using plesk panel

My hosting provider, if applicable, is: vultr.com

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
the error i face: Authorization for the domain failed, (but i checked the txt record and all seems good)
--the steps that i followed and the error i received in the doc : Loading Google Docs

how to make the free Certificate work ? the vultr support told me the ssl certificate is not their responsibility ! what should i do ?

9peppe · January 23, 2024, 11:19am

Both domains failed, or just refugeechronicles.org?

You should add a txt record on _acme-challenge.refugeechronicles.org containing the token and the token alone.

But it looks like you have a wildcard CNAME. That's not something I would advise doing. I would replace it with a wildcard A/AAAA if that's what you need.

FirasOmar · January 23, 2024, 11:31am

both not working,
for casemaster.ps > i was regiter to paid certificate and its expired and i want to add the free one but its not working.
for refugeechronicles.org > i update the txt record to contain only the token in the value and this is the out but when run nslookup command : Non-authoritative answer:
_acme-challenge.refugeechronicles.org canonical name = refugeechronicles.org
refugeechronicles.org text =

    "google-site-verification=oOA6IIDLYcjyoWInTzbnzzwtnE4p7YnjiOCzLKPXc4Q"

refugeechronicles.org text =

    "fHVdPYA4mqCDoGlUM0rBUsvTNBHl0RD1SC1QMA0if8M"

but still not working !

FirasOmar · January 23, 2024, 11:33am

@9peppe do you have any other suggestion ?

9peppe · January 23, 2024, 11:39am

What's the actual error message?

If you don't need that * cname I would remove it.

FirasOmar · January 23, 2024, 11:59am

the error message exist in image4 in the following like: errorSteps.docx - Google Docs

the error say that : "Couldn't issue a Let's Encrypt Certificate for domain http://refugeechronicles.org . Authorization for domain failed"
Details: Invalid response from https://acme-v02.api.lestencrypt.org/acme/authz-v3/XXXXX "
but when i check the txt its accessed externally

rg305 · January 23, 2024, 2:33pm

Those are two very different things:

HTTPS request
DNS TXT record request

What is the exact command you ran to get a cert?

FirasOmar · January 23, 2024, 2:36pm

@rg305 i am using plesk interface, so i follow the steps from plesk: https://support.plesk.com/hc/en-us/articles/12377676289815-How-to-install-Let-s-Encrypt-SSL-certificate-for-domain-in-Plesk

FirasOmar · January 23, 2024, 2:40pm

https://refugeechronicles.org/ i want to access this website with https at the end.
the command i run on cmd to check the record is : nslookup -type=txt _acme-challenge.refugeechronicles.org

and i use this DNS checker site to check: DNS Checker - DNS Check Propagation Tool

rg305 · January 23, 2024, 2:55pm

Can we see more of the log file?

rg305 · January 23, 2024, 3:00pm

Why would you have this CNAME?:
_acme-challenge.refugeechronicles.org canonical name = refugeechronicles.org

It serves no functional purpose.
I would remove it.
[it is likely the root of your problem]

FirasOmar · January 23, 2024, 3:03pm

if you have time to check through google meet please reply with your email, i will appreciate your support,

FirasOmar · January 23, 2024, 3:06pm

you mean i should remove this :

petercooperjr · January 23, 2024, 3:10pm

Well, why is it there? Presumably you added it for a reason.

FirasOmar · January 23, 2024, 3:13pm

its created by default from hosting server config, i don't add it .. but when i delete it and then check the TXT record using this command: nslookup -type=txt _acme-challenge.refugeechronicles.org
output>>
Server: UnKnown
Address: 192.168.1.1

*** UnKnown can't find _acme-challenge.refugeechronicles.org: Non-existent domain

FirasOmar · January 23, 2024, 3:25pm

this is the full error message :Could not issue an SSL/TLS certificate for refugeechronicles.org
Details
Could not issue a Let's Encrypt SSL/TLS certificate for refugeechronicles.org. Authorization for the domain failed.

Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/307311781746.

Details:

Type: urn:ietf:params:acme:error:unauthorized

Status: 403

Detail: Incorrect TXT record "fHVdPYA4mqCDoGlUM0rBUsvTNBHl0RD1SC1QMA0if8M" (and 1 more) found at _acme-challenge.refugeechronicles.org

FirasOmar · January 23, 2024, 3:34pm

it seems bug in Plesk : Resolved - Could not issue a Let's Encrypt SSL/TLS certificate | Plesk Forum

MikeMcQ · January 23, 2024, 3:35pm

In your post #13 the error was for an HTTP Challenge (Plesk Non-wildcard).

But, the error about invalid TXT record is for Wildcard. Are you placing this TXT value manually in the DNS. If so, it would be better to get the non-wildcard option working as that can be automated. Is that possible?

As for your TXT record:

A TXT record is usually used at _acme-challenge.refugeechronicles.org. If you remove the CNAME and replace it with a TXT you won't get the NXDOMAIN anymore.

Still, it should have worked if you placed the correct TXT value in your root domain. Your currently have

dig +noall +answer TXT _acme-challenge.refugeechronicles.org
_acme-challenge.refugeechronicles.org. 46 IN CNAME refugeechronicles.org.
refugeechronicles.org.  46      IN      TXT     "google-site-verification=oOA6IIDLYcjyoWInTzbnzzwtnE4p7YnjiOCzLKPXc4Q"
refugeechronicles.org.  46      IN      TXT     "fHVdPYA4mqCDoGlUM0rBUsvTNBHl0RD1SC1QMA0if8M"

MikeMcQ · January 23, 2024, 3:36pm

I doubt that applies. Your server is nginx. That post was for Apache

FirasOmar · January 23, 2024, 3:40pm

i am not using the wildcard option:

i added the TXT record manually in the root server panel (vultr) but in plesk its added automatically