Could not issue a Let's Encrypt SSL/TLS certificate for AWS Lightsail Plesk Server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ec2-18-203-188-57.eu-west-1.compute.amazonaws.com

I ran this command:
https://34.246.157.27:8443/modules/letsencrypt/index.php/index/secure-panel
Plesk > Tools & Settings > SSL/TLS Certificates > +LetsEncrypt > I clicked the ‘Install’ button

It produced this output:
Error: Could not issue a Let’s Encrypt SSL/TLS certificate for ec2-18-203-188-57.eu-west-1.compute.amazonaws.com .

My web server is (include version):
Product: [Plesk Obsidian 18.0.26]
(https://34.246.157.27:8443/smb/web/view#) ,
last updated at May 6, 2020 11:18 PM

The operating system my web server runs on is (include version):
OS: ‪Ubuntu 16.04.6 LTS‬

My hosting provider, if applicable, is:
AWS Lightsail
Hostname: ec2-18-203-188-57.eu-west-1.compute.amazonaws.com

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes
Plesk Obsidian 18.0.27

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
My LetsEncrypt Plugin Version is: 2.10.0-621

Not sure about the Certbot

ubuntu@ec2-18-203-188-57:~ certbot --version certbot: command not found ubuntu@ec2-18-203-188-57:~ certbot-auto --version
certbot-auto: command not found
ubuntu@ec2-18-203-188-57:~$

Hello LetsEncrypt.

I’m trying to secure the login to my AWS Lightsail Plesk Server with an SSL certificate.

When I goto to my server I’m greeted by the Chrome certificate error screen.

Upon logging in Security Advisor tells me to secure my server with an SSL certificate.

But when I try to install the LetsEncrypt certificate on my AWS Lightsail Server.

I get an error message to say my domain is probably blacklisted.

I opened a Forum Thread on the Plesk Community Forum here:

Their advice was to follow the instructions here:

Which I did!

But Step 5 says:

Note: The hostname/domain name must be resolved to a public IP address of the Plesk server from the Internet.

On trying this step, MxToolBox finds a different IP address for the name of my server (18.203.xxx.xx) than for the IP Address (34.246.xxx.xxx ) that has been assigned to my server by AWS and what I used to log in under. (I hope that makes sense)



Issuing the certificate fails:

**Error:**  Could not issue a Let's Encrypt SSL/TLS certificate for  **ec2-18-203-188-57.eu-west-1.compute.amazonaws.com** .

Perhaps this domain is at risk group and is blacklisted on the Let's Encrypt side.
[See the related Knowledge Base article for details.](https://support.plesk.com/hc/en-us/articles/115002506633)
Details

Invalid response from https://acme-v02.api.letsencrypt.org/acme/new-order.
Details:
Type: urn:ietf:params:acme:error:rejectedIdentifier
Status: 400
Detail: Error creating new order :: Cannot issue for "ec2-18-203-188-57.eu-west-1.compute.amazonaws.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy

Any help is appreciated.

Thanks in advance.

1 Like

Let’s Encrypt does not allow issuing certificates for the EC2 amazonaws.com hostnames at all. If I recall, this is because they are considered to be ephemeral - you don’t really own it and as soon as you terminate your instance, somebody else might get it.

You need to get your own domain name and use it for your Plesk server.

2 Likes

Hi @LordLiverpool

you can’t create a certificate with that top level domain.

Use your own domain name.

1 Like

@JuergenAuer @_az Thanks for replying! :slightly_smiling_face:

I have successfully issued Let’s Encrypt certificates for all the websites (domains) hosted on my Plesk Server.

To recap @_az said AWS servers are ephemeral and @JuergenAuer said the name of my server is someone else’s domain i.e. amazonaws.com Doh! of course. Thanks that makes sense.

I don’t think there is an option to rename the Lightsail server. I think its name is auto-assigned to me, I could be wrong?!? Therefore is it impossible to secure a Plesk Server provisioned from AWS?

Thanks.

1 Like

That’s not required.

Use your own domain name pointing to that server, configure your Plesk so that domain name is known.

There are a lot of users with the same configuration.

2 Likes

https://support.plesk.com/hc/en-us/articles/213941265--How-to-change-or-get-the-server-hostname-on-Plesk-server might help. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-hostname.html too.

With some clouds (like Google) it can be a pain to persist the changed hostname through reboots, but I think it’s pretty straightforward on AWS - you just change it in Linux/Plesk, and it’ll remember.

The hostname reported in the EC2 console doesn’t really matter - the place you need to change it is inside the operating system and/or Plesk itself.

2 Likes

@JuergenAuer It’s great to know its possible, thanks.

OK, the closest I found to what you meant was here:

https://docs.plesk.com/en-US/obsidian/administrator-guide/59466/

and here:

For anyone following on behind me it was this comment that really helped:

After assigning a Let’s Encrypt certificate to a subdomain just go to Tools & Settings > SSL/TLS Certificates

Find the option Certificate for securing Plesk and click on [Change] button right to it.

Choose the certificate assigned to subdomain and click OK .

I followed the instructions and I used the Let’s Encrypt Certificate I had installed on one of my own domains and I assigned it to the server and also to secure the mail.

So now I no longer access the server insecurely via its IP address i.e. http://xxx.xxx.xxx.xxx:8443

but instead securely like so: https://example.com:8443

Thanks very much, guys, I couldn’t have fixed it without your help!

Cheers.

1 Like

@_az

Thanks for the heads-up on this.

I will now rename my server to something more meaningful.

Cheers.

1 Like

hmm, trying to understand this as I’m the same situation (AWS EC2 instance). So if I own mydomain.com and I host an app (Grafana in my case hosted in an AWS instance xxxxxx.compute.amazonaws.com) I can use certbot on the AWS EC2 instance to create the certs for mydomain.com; e.g.

sudo certbot certonly -d mydomain.com

and use the certs generated in Grafana and then access Grafana securely (https) via mydomain.com?

1 Like

Hi @tfmeier

yes, that’s possible.

But that’s the general idea how http validation works, not aws-specific.

Different domains point to the same ip address -->> you can create certificates with every of these domain names via http validation.

PS: So the host name of the server isn’t really relevant.

1 Like

Thanks. I think I made some progress.

Was able to generate certs for my own domain but when starting up Grafana I get a permission error

t=2020-06-06T03:25:43+0000 lvl=info msg="HTTP Server Listen" logger=http.server address=[::]:443 protocol=https subUrl= socket=
t=2020-06-06T03:25:43+0000 lvl=eror msg="Stopped HTTPServer" logger=server reason="open /etc/letsencrypt/live/ha.meierfamily.rocks/privkey.pem: permission denied"
t=2020-06-06T03:25:43+0000 lvl=info msg="Stopped Stream Manager"
t=2020-06-06T03:25:43+0000 lvl=eror msg="A service failed" logger=server err="open /etc/letsencrypt/live/ha.meierfamily.rocks/privkey.pem: permission denied"
t=2020-06-06T03:25:43+0000 lvl=eror msg="Server shutdown" logger=server reason="open /etc/letsencrypt/live/ha.meierfamily.rocks/privkey.pem: permission denied"

The file permissions look alright in live

ubuntu@ip-172-31-14-87:~$ ll /etc/letsencrypt/live/ha.meierfamily.rocks
total 12
drwxr-xr-x 2 root sslcerts 4096 Jun  6 02:11 ./
drwxr-xr-x 3 root sslcerts 4096 Jun  6 02:11 ../
-rw-r--r-- 1 root sslcerts  692 Jun  6 02:11 README
lrwxrwxrwx 1 root sslcerts   44 Jun  6 02:11 cert.pem -> ../../archive/ha.meierfamily.rocks/cert1.pem
lrwxrwxrwx 1 root sslcerts   45 Jun  6 02:11 chain.pem -> ../../archive/ha.meierfamily.rocks/chain1.pem
lrwxrwxrwx 1 root sslcerts   49 Jun  6 02:11 fullchain.pem -> ../../archive/ha.meierfamily.rocks/fullchain1.pem
lrwxrwxrwx 1 root sslcerts   47 Jun  6 02:11 privkey.pem -> ../../archive/ha.meierfamily.rocks/privkey1.pem
ubuntu@ip-172-31-14-87:~$

but not in archive

ubuntu@ip-172-31-14-87:~$ ll /etc/letsencrypt/archive/ha.meierfamily.rocks
total 24
drwxr-xr-x 2 root sslcerts 4096 Jun  6 02:11 ./
drwxr-xr-x 3 root sslcerts 4096 Jun  6 02:11 ../
-rw-r--r-- 1 root sslcerts 1923 Jun  6 02:11 cert1.pem
-rw-r--r-- 1 root sslcerts 1647 Jun  6 02:11 chain1.pem
-rw-r--r-- 1 root sslcerts 3570 Jun  6 02:11 fullchain1.pem
-rw------- 1 root sslcerts 1704 Jun  6 02:11 privkey1.pem
ubuntu@ip-172-31-14-87:~$

and attempting to chage via

chmod 755 /etc/letsencrypt/archive

didn’t change the permissions

Any idea what’s going on?

Still haven’t gotten this to work.

I know this is not really a Let’s Encrypt question but as far as I understand Linux there are symbolic links from …/live/privkey.pem to …/archive…privkey1.pem for instance.
So even if the file permissions in directory /archive were correct why are these archive files created in the first place? And why do you think is it I can’t change the permission in directory /archive?

Just a quick update that I managed to fix this finally although not sure why this would work.

I was saying that the file permissions in directory archive don’t look right so I applied

chmod 755 /etc/letsencrypt/archive

What I did next is to apply the command directly to the .pem files. Permission is ok and the server starts. Why would the command not work on the directory?

As an aside why do the certs expire in 3 short months meaning have to redo this I reckon?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.