"Could not renew Let's Encrypt certificates for ..."

Our old host was hosting our Website (www.kv-sachsen.de) and our committee portal (gremieninfo.kv-sachsen.de). Our website was renewed and is being hostet at a new host. The portal remained on the old host for now, until it is migrated to the new host.

We've been using Let's Encrypt SSL-Certificates for quite some time now and the automatic Update 30 days before expiry always worked fine. This is a plesk webserver, where we have a webinterface to manage some settings. This was used to create the certificates when the portal was set up.

Now I did receive an email saying the certificat for the portal couldn't be renewed and also trying to do so manually doesn't work.

I get the following error:

Error message from the mail:

Could not renew Lets Encrypt certificates for [...]. Please log in to Plesk and renew the certificates listed below manually. Renewal of the following Lets Encrypt certificates has failed:

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/11440028326.

Details:

Type: urn:ietf:params:acme:error:connection

Status: 400

Detail: Fetching https://acme-challenge.localhost/.well-known/acme-challenge/pTgitZKfnxf7FmrQRm4k6YKb1XToLIWd_NaWekJnLpU: Invalid hostname in redirect target, must end in IANA registered TLD

Error message from the webinterface

SSL/TLS-Zertifikat konnte für gremieninfo.kv-sachsen.de nicht ausgestellt werden.
Details:
Let's Encrypt-SSL/TLS-Zertifikat konnte nicht ausgestellt werden für gremieninfo.kv-sachsen.de. Die Autorisierung dieser Domain ist fehlgeschlagen.
Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/11481426064.

Details:

Type: urn:ietf:params:acme:error:connection

Status: 400

Detail: Fetching https://acme-challenge.localhost/.well-known/acme-challenge/ltlN106yrr64cYSknR5WDxF_tC6CuJL8NJwYxngpJxo: Invalid hostname in redirect target, must end in IANA registered TLD

We are not quite ready to migrate the portal to the new host, thus it would be gread if you could help me figure out, how to secure my portal's domain for another 90 days.

Thanks in advance!

My domain is: gremieninfo.kv-sachsen.de

I ran this command:

It produced this output:

My web server is (include version): Plesk Obsidian (18.0.32)

The operating system my web server runs on is (include version): Plesk Obsidian 18.0.32)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk webinterface

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @KVS

please read your error message:

Your server redirects to .localhost, that's not a valid domain name.

Thank you for the quick reply.

I was actually not picking up on this. But, where is this configured? And why did it stop working all the sudden?

I don't know what software is responsible for this configuration, but you can see an interesting difference between the behavior of these two URLs:

http://gremieninfo.kv-sachsen.de/test.txt
http://gremieninfo.kv-sachsen.de/.well-known/acme-challenge/test.txt

The first generates an HTTP 404 error, while the second redirects to acme-challenge.localhost, which fails.

Also, if you look with a non-browser web client like curl, you can see that both use an HTTP 301 redirect message, but the first (working) one has a text body in German ("<h1>Objekt verschoben</h1>Dieses Dokument befindet sich möglicherweise <a HREF="https://gremieninfo.kv-sachsen.de/test.txt">hier</a>), while the second (non-working) one has a text body in English ("<h1>Moved Permanently</h1><p>The document has moved <a href="https://acme-challenge.localhost/.well-known/acme-challenge/test.txt">here</a>")

These differences suggest that some software in your environment has created an explicit special case for /.well-known or /.well-known/acme-challenge, but that the special case is incorrect somehow. I think it's probably Plesk, and, if so, probably a bug in Plesk!

1 Like

Or a misconfiguration in Plesk? I have no experience with Plesk, so I cannot say. But perhaps Plesk uses the hostname of the machine it runs on somewhere in its code? Or defaults to "localhost" if a certain setting isn't entered? Just guessing here :slight_smile:

1 Like

Hi,

and sorry for the late response, I was out of office last week on short notice.

Thanks for your feedback, which helped me figure out the solution. We have an .htaccess-file that's probably for redirecting from http to https. Upon removing this or probably better configuring an exclusion for the /.well-known/acme-challenge-folder, the SSL-certificate could be renewed without problem.

I don't know why it suddenly stopped working like this, but it's probably due to an update on the Plesk.

Anyway, me problem is solved for now and we should be able to move our system within the next 90 days to the new host anyway.

Thanks again!
Best regards.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.