Error creating new certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.zsolution.ch

I ran this command:

Client within Plesk. Environment provided by hosting provider.
Worked well for other domains (roldasuisse.ch or grepalim.ch)
IP: 94.231.94.122

It produced this output:

Fehler: Let’s Encrypt-SSL/TLS-Zertifikat konnte nicht ausgestellt werden für zsolution.ch . Die Autorisierung dieser Domain ist fehlgeschlagen.
Details
(Error: certificate cannot be issued, autorisation of the domain failed)

Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/wAp1xhkHsXF1fHtf0bcIfGkQ14bhVPr5MDDIG9iQrFk.
Details:
Type: urn:acme:error:connection
Status: 400
Detail: Fetching http://zsolution.ch/.well-known/acme-challenge/EE1SX8SANTBX8psTVcFmzL0N2lUulwYQMT3V7_F-OQA: Connection refused

My web server is (include version): ngnix

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: www.servertown.ch
servertown support answered everything OK on their side and asked to contact you …

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk

Hi,

Is it possible that your hosting provider handle the actual validation? Because the server respond to all other queries except some true token field.

Thank you

Hi @zsolution

looks like a temporary problem of your hosting environment. Now

http://www.zsolution.ch/.well-known/acme-challenge/EE1SX8SANTBX8psTVcFmzL0N2lUulwYQMT3V7_F-OQA

works and shows correct content:

EE1SX8SANTBX8psTVcFmzL0N2lUulwYQMT3V7_F-OQA.Ixthgo8JE1ubJmdA9DOttz6DHyqzl5qZwL3mUEzV0vM

So try it again.

My provider suspects that the ip adress of lets encrypt has been blocked and asked me for the IP adress of let’s encrypt cert server …

Can your provider look at logs and see the firewall rejections? As I understand, Let’s Encrypt can use different IPs depending on location for verification, and in the future is planning on verifying from multiple locations simultaneously.

1 Like

We have a number of previous threads about not whitelisting validation IP addresses. I guess the most official one is

I get the impression this was more of a “being on the blacklist” scenario than “not being on the whitelist.” I recall another user having that issue a few months ago as well.

A provider shouldn't block external access to websites.

According to the hosting provider Server / Firewall checked, everything OK

Hint found on Plesk Forum:
Note: Let’s Encrypt gives only 6 attempts to obtain a certificate in a week for a certain domain.

How does Let’s encrypt count the attempts ?
By IP or by domain name?

This is wrong. You can create 5 certificates per week with the same name set.

But there is no certificate:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:true;include_subdomains:true;domain:zsolution.ch&lu=cert_search

There is a

Failed Validation limit of 5 failures per account, per hostname, per hour

But this is also irrelevant (one hour).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.