Cannot install SSL Certificate

Hi guys, I tried to install the certificate via plesk but I constantly get this error message:

SSL/TLS-Zertifikat konnte für smarterapps.io nicht ausgestellt werden.
Details:

Let’s Encrypt-SSL/TLS-Zertifikat konnte nicht ausgestellt werden für smarterapps.io . Die Autorisierung dieser Domain ist fehlgeschlagen.
Details

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/6988110842.

Details:

Type: urn:ietf:params:acme:error:dns

Status: 400

Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.smarterapps.io - check that a DNS record exists for this domain

I issued the certificate already for a different domain on the same server also on plesk and it worked. But for the domain below it does not work.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: smarterapps.io

I ran this command: I did not run any command

It produced this output: no output

My web server is (include version):

The operating system my web server runs on is (include version): Virtual Server Linux Level 1 (v1605.12)

My hosting provider, if applicable, is: Strato

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Plesk Obsidian v18.0.29_build1800200825.21 os_Ubuntu 18.04

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): no

Thanks for your help.

Hi @Mokonzi

checking your domain there is no required TXT entry - see https://check-your-website.server-daten.de/?q=smarterapps.io#txt - the TXT part.

But your name servers:

. Name Servers
Domain Nameserver NS-IP
www.smarterapps.io
ns1027.ui-dns.org

smarterapps.io
ns1027.ui-dns.org / dns-pub-de-fra-fr701.server.lan
217.160.83.27
Frankfurt am Main/Hesse/Germany (DE) - AS8560 anycast •

• 
2001:8d8:fe:53:0:d9a0:531b:100

Suedweststadt/Baden-Württemberg/Germany (DE) - AS8560 anycast •

ns1027.ui-dns.org - looks like 1&1, not Strato.

So if your local Plesk creates the required TXT entry, that can’t work.

How are the TXT entries are created?

1 Like

Hi @JuergenAuer,

thanks for your quick reply. I bought the domain at ionos and redirect them to plesk. Please see attached screenshot.

Thanks.

1 Like

There you see the problem.

That’s not your public visible name server, that’s a private Plesk zone.

So the Plesk created _acme-challenge RR isn’t global visible, so Letsencrypt can’t check that.

I don’t use Plesk, so I don’t know if it is a wrong configuration or if it is impossible.

1 Like

I have another domain “pocketnews.io” from the same provider running on plesk and letsencrypt runs perfectly. Not sure if it has the same configuration.

Ah, thanks. So you see: There is another hidden configuration.

See the check - https://check-your-website.server-daten.de/?q=pocketnews.io

Same situation:

All public visible name servers are *ui-dns.org name servers, so your “internal defined name server”

pocketnews.io NS ns1.pocketnews.io

isn’t public visible / doesn’t exist / isn’t relevant.

So that TXT entry isn’t public visible -> Letsencrypt can’t check that -> you can’t create a certificate.

Looks like in reality you use http validation, not dns validation.

1 Like

PS: Yep, see the #ct-logs - part:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-08-14 2020-11-12 pocketnews.io, www.pocketnews.io - 2 entries
Let’s Encrypt Authority X3 2020-07-19 2020-10-17 pocketnews.io - 1 entries
Let’s Encrypt Authority X3 2020-07-16 2020-10-14 pocketnews.io, tls.automattic.com, videogta.movie.blog, www.pocketnews.io, www.videogta.movie.blog - 5 entries
Let’s Encrypt Authority X3 2020-07-15 2020-10-13 pocketnews.io, tls.automattic.com, www.pocketnews.io - 3 entries

There is no wildcard, so it’s possible to create these certificates via http validation.

1 Like

Thank you very much for your help and effort. How can I fix this ? What would you recommend ?
Thanks…

1 Like

I don’t know, never used Plesk. It’s a Plesk problem, Plesk should use http validation, not dns validation.

–>> ask in a Plesk forum.

1 Like

Ok, thanks Juergen. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.