Cannot Enable Let's Encrypt free certificate using plesk

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: and

I ran this command: nslookup -typle=txt and nslookup -typle=txt

It produced this output:
Server: UnKnown

Non-authoritative answer: canonical name = text =


and for the second domain , this output: >
Server: UnKnown

Non-authoritative answer: canonical name = text =

    "" text =


My web server is (include version):

The operating system my web server runs on is (include version): ubonto 22.04 using plesk panel

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
the error i face: Authorization for the domain failed, (but i checked the txt record and all seems good)
--the steps that i followed and the error i received in the doc : Loading Google Docs

how to make the free Certificate work ? the vultr support told me the ssl certificate is not their responsibility ! what should i do ?

Both domains failed, or just

You should add a txt record on containing the token and the token alone.

But it looks like you have a wildcard CNAME. That's not something I would advise doing. I would replace it with a wildcard A/AAAA if that's what you need.


both not working,
for > i was regiter to paid certificate and its expired and i want to add the free one but its not working.
for > i update the txt record to contain only the token in the value and this is the out but when run nslookup command : Non-authoritative answer: canonical name = text =

    "google-site-verification=oOA6IIDLYcjyoWInTzbnzzwtnE4p7YnjiOCzLKPXc4Q" text =


but still not working !

@9peppe do you have any other suggestion ?

What's the actual error message?

If you don't need that * cname I would remove it.

1 Like

the error message exist in image4 in the following like: errorSteps.docx - Google Docs

the error say that : "Couldn't issue a Let's Encrypt Certificate for domain . Authorization for domain failed"
Details: Invalid response from "
but when i check the txt its accessed externally

Those are two very different things:

  • HTTPS request
  • DNS TXT record request

What is the exact command you ran to get a cert?

1 Like

@rg305 i am using plesk interface, so i follow the steps from plesk: i want to access this website with https at the end.
the command i run on cmd to check the record is : nslookup -type=txt

and i use this DNS checker site to check: DNS Checker - DNS Check Propagation Tool

Can we see more of the log file?


Why would you have this CNAME?: canonical name =

It serves no functional purpose.
I would remove it.
[it is likely the root of your problem]


if you have time to check through google meet please reply with your email, i will appreciate your support,

you mean i should remove this :

Well, why is it there? Presumably you added it for a reason.


its created by default from hosting server config, i don't add it .. but when i delete it and then check the TXT record using this command: nslookup -type=txt
Server: UnKnown

*** UnKnown can't find Non-existent domain

this is the full error message :Could not issue an SSL/TLS certificate for
Could not issue a Let's Encrypt SSL/TLS certificate for Authorization for the domain failed.

Invalid response from


Type: urn:ietf:params:acme:error:unauthorized

Status: 403

Detail: Incorrect TXT record "fHVdPYA4mqCDoGlUM0rBUsvTNBHl0RD1SC1QMA0if8M" (and 1 more) found at

it seems bug in Plesk : Resolved - Could not issue a Let's Encrypt SSL/TLS certificate | Plesk Forum

In your post #13 the error was for an HTTP Challenge (Plesk Non-wildcard).

But, the error about invalid TXT record is for Wildcard. Are you placing this TXT value manually in the DNS. If so, it would be better to get the non-wildcard option working as that can be automated. Is that possible?

As for your TXT record:

A TXT record is usually used at If you remove the CNAME and replace it with a TXT you won't get the NXDOMAIN anymore.

Still, it should have worked if you placed the correct TXT value in your root domain. Your currently have

dig +noall +answer TXT 46 IN CNAME  46      IN      TXT     "google-site-verification=oOA6IIDLYcjyoWInTzbnzzwtnE4p7YnjiOCzLKPXc4Q"  46      IN      TXT     "fHVdPYA4mqCDoGlUM0rBUsvTNBHl0RD1SC1QMA0if8M"

I doubt that applies. Your server is nginx. That post was for Apache


i am not using the wildcard option:

i added the TXT record manually in the root server panel (vultr) but in plesk its added automatically