Cannot install SSL Certificate

Mokonzi · September 4, 2020, 8:58pm

Hi guys, I tried to install the certificate via plesk but I constantly get this error message:

SSL/TLS-Zertifikat konnte für smarterapps.io nicht ausgestellt werden.
Details:

Let’s Encrypt-SSL/TLS-Zertifikat konnte nicht ausgestellt werden für smarterapps.io . Die Autorisierung dieser Domain ist fehlgeschlagen.
Details

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/6988110842.

Details:

Type: urn:ietf:params:acme:error:dns

Status: 400

Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.smarterapps.io - check that a DNS record exists for this domain

I issued the certificate already for a different domain on the same server also on plesk and it worked. But for the domain below it does not work.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: smarterapps.io

I ran this command: I did not run any command

It produced this output: no output

My web server is (include version):

The operating system my web server runs on is (include version): Virtual Server Linux Level 1 (v1605.12)

My hosting provider, if applicable, is: Strato

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Plesk Obsidian v18.0.29_build1800200825.21 os_Ubuntu 18.04

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): no

Thanks for your help.

JuergenAuer · September 4, 2020, 9:19pm

Hi @Mokonzi

checking your domain there is no required TXT entry - see smarterapps.io - Make your website better - DNS, redirects, mixed content, certificates - the TXT part.

But your name servers:

. Name Servers
Domain Nameserver NS-IP
www.smarterapps.io
• ns1027.ui-dns.org

smarterapps.io
• ns1027.ui-dns.org / dns-pub-de-fra-fr701.server.lan
217.160.83.27
Frankfurt am Main/Hesse/Germany (DE) - AS8560 anycast •

• 
2001:8d8:fe:53:0:d9a0:531b:100

Suedweststadt/Baden-Württemberg/Germany (DE) - AS8560 anycast •

ns1027.ui-dns.org - looks like 1&1, not Strato.

So if your local Plesk creates the required TXT entry, that can't work.

How are the TXT entries are created?

Mokonzi · September 4, 2020, 9:55pm

Hi @JuergenAuer,

thanks for your quick reply. I bought the domain at ionos and redirect them to plesk. Please see attached screenshot.

Thanks.

JuergenAuer · September 4, 2020, 10:00pm

There you see the problem.

That’s not your public visible name server, that’s a private Plesk zone.

So the Plesk created _acme-challenge RR isn’t global visible, so Letsencrypt can’t check that.

I don’t use Plesk, so I don’t know if it is a wrong configuration or if it is impossible.

Mokonzi · September 4, 2020, 10:10pm

I have another domain “pocketnews.io” from the same provider running on plesk and letsencrypt runs perfectly. Not sure if it has the same configuration.

JuergenAuer · September 5, 2020, 6:11am

Ah, thanks. So you see: There is another hidden configuration.

See the check - pocketnews.io - Make your website better - DNS, redirects, mixed content, certificates

Same situation:

All public visible name servers are *ui-dns.org name servers, so your "internal defined name server"

pocketnews.io NS ns1.pocketnews.io

isn't public visible / doesn't exist / isn't relevant.

So that TXT entry isn't public visible -> Letsencrypt can't check that -> you can't create a certificate.

Looks like in reality you use http validation, not dns validation.

JuergenAuer · September 5, 2020, 7:09am

PS: Yep, see the #ct-logs - part:

Issuer	not before	not after	Domain names
Let's Encrypt Authority X3	2020-08-14	2020-11-12	pocketnews.io, www.pocketnews.io - 2 entries
Let's Encrypt Authority X3	2020-07-19	2020-10-17	pocketnews.io - 1 entries
Let's Encrypt Authority X3	2020-07-16	2020-10-14	pocketnews.io, tls.automattic.com, videogta.movie.blog, www.pocketnews.io, www.videogta.movie.blog - 5 entries
Let's Encrypt Authority X3	2020-07-15	2020-10-13	pocketnews.io, tls.automattic.com, www.pocketnews.io - 3 entries

There is no wildcard, so it's possible to create these certificates via http validation.

Mokonzi · September 5, 2020, 7:22am

Thank you very much for your help and effort. How can I fix this ? What would you recommend ?
Thanks…

JuergenAuer · September 5, 2020, 8:48am

I don't know, never used Plesk. It's a Plesk problem, Plesk should use http validation, not dns validation.

-->> ask in a Plesk forum.

Mokonzi · September 5, 2020, 10:44am

Ok, thanks Juergen.

system · October 5, 2020, 10:44am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't install SSL Certificat for my domain on plesk, Thank you for your help Help	3	518	January 2, 2021
Error trying to install lets encrypt on Plesk Help	4	2110	January 10, 2020
Problem getting new certificate with Plesk (solved) Help	5	453	June 22, 2023
Installing SSL on a Sub Domain - Plesk 12.5 Server	4	2335	March 2, 2017
I got an SSL/TLS certificate from letsencrypt, from PLESK Help	3	535	September 24, 2022

Cannot install SSL Certificate

Related topics