HELP - Plesk renewals fails with wildcard

Using CentOS Linux 7.6.1810 (Core)‬
Plesk [Obsidian 18.0.21]
DNS set manually with, SSH check on TXT record confirmed correct hash.

Problem trying to issue wildcard in order to use FB connect call backs.

I have a video of the action as a .mov if needed.

Invalid response from
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: No TXT record found at

1 Like

The _acme-challenge is delegated somewhere else with a CNAME: 3600 IN    CNAME

Does Plesk know how to follow the CNAME and to update the TXT record at the target zone (in, rather than creating the TXT record inside the zone?

I suspect the answer is no, and that this would prevent the process from succeeding, because you can’t stack a TXT record next to a CNAME - resolvers will follow the CNAME and ignore the TXT record.

Could you comment on why this CNAME exists and how Plesk is meant to work with it?

1 Like

No idea how that cname record was added. Could have been added last year by another tech I had work on installing Letsencrypt. I have removed it. However, I think I will have to wait 72 hours before attempting to renew wildcard because of propagation?

Hi @pmlittle

that’s not required.

Letsencrypt checks your authoritative name servers, so the current config is visible.

It failed again with the CNAME deleted. Any other ideas?

I am the admin for hosting server, and these domains are mine for mutiple sites. I was able to complete it with another site and this site used a different DNS (godaddy). Do you think its related to the .news?

Checking your domain -

There is no TXT entry visible. v=spf1 ip4: ?all

is a visible TXT entry.

_acme-challenge!!! Check your record…

Screen Shot 2020-04-15 at 12.03.08 PM

Yes, that wrong entry

D:>nslookup -type=TXT
Address: text =



challenge != challange

Corrected spelling to _acme.challenge on the TXT record and still error.

OKay this is looking more and more like a DNS database problem. Not updating properly and giving time for continuation in Plesk.


wrong again…

Sorry, typo… I corrected it to _acme-challenge

This failed to renew with wildcard selected.

seems shows nothing and is showing correctly with
Screen Shot 2020-04-15 at 12.46.36 PM

My theory is is not being updated and ns2 is being updated and is the problem.

When I try with ANY type query I surprisingly got this:

$ nslookup -q=any
;; Truncated, retrying in TCP mode.
Address:	text = "BbFTewcF8v0XcQUfQjOcI-feLFvpvozBdpFptGRgFm8"

You are right. I just got it also. So that means ns1 is slow to be updated and ns2 is being used as instant with correct?

Will Plesk remain open to continue certificate issuance for 30 minute wait for ns1 to be available? I doubt it. Plesk will auto logout and can’t continue with the issuance of the cert.