HELP - Plesk renewals fails with wildcard


Using CentOS Linux 7.6.1810 (Core)‬
Plesk [Obsidian 18.0.21]
DNS set manually with netfirms.ca, SSH check on TXT record confirmed correct hash.

Problem trying to issue wildcard in order to use FB connect call backs.

I have a video of the action as a .mov if needed.

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/3963287583.
Details:
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: No TXT record found at _acme-challenge.calais.news

1 Like

The _acme-challenge is delegated somewhere else with a CNAME:

_acme-challenge.calais.news. 3600 IN    CNAME   calais.news.letsencrypt.vdeck.eigdyn.com.

Does Plesk know how to follow the CNAME and to update the TXT record at the target zone (in eigdyn.com), rather than creating the TXT record inside the calais.news zone?

I suspect the answer is no, and that this would prevent the process from succeeding, because you can’t stack a TXT record next to a CNAME - resolvers will follow the CNAME and ignore the TXT record.

Could you comment on why this CNAME exists and how Plesk is meant to work with it?

1 Like

No idea how that cname record was added. Could have been added last year by another tech I had work on installing Letsencrypt. I have removed it. However, I think I will have to wait 72 hours before attempting to renew wildcard because of propagation?

Hi @pmlittle

that's not required.

Letsencrypt checks your authoritative name servers, so the current config is visible.

It failed again with the CNAME deleted. Any other ideas?

I am the admin for hosting server, and these domains are mine for mutiple sites. I was able to complete it with another site machiasnews.com and this site used a different DNS (godaddy). Do you think its related to the .news?

Checking your domain - https://check-your-website.server-daten.de/?q=calais.news#txt

There is no TXT entry _acme-challenge.calais.news visible.

calais.news v=spf1 ip4:66.96.128.0/18 ?all

is a visible TXT entry.

_acme-challenge!!! Check your record…

Screen Shot 2020-04-15 at 12.03.08 PM

Yes, that wrong entry

D:>nslookup -type=TXT _acme-challange.calais.news. ns1.netfirms.com.
Server: ns1.netfirms.com
Address: 65.254.254.157

_acme-challange.calais.news text =

    "cPoIlN1G4NmO_baAII1Q5a8Zrn8xaulDL0SyEQpj8Bg"

exists.

challenge != challange

Corrected spelling to _acme.challenge on the TXT record and still error.

OKay this is looking more and more like a Netfirms.ca DNS database problem. Not updating properly and giving time for continuation in Plesk.

That's

wrong again..

Sorry, typo… I corrected it to _acme-challenge


This failed to renew with wildcard selected.

seems ns1.netfirms.com shows nothing and ns2.netfirms.com is showing correctly with _acme-challenge.calais.news
Screen Shot 2020-04-15 at 12.46.36 PM

My theory is ns1.netfirms.com is not being updated and ns2 is being updated and Netfirms.com is the problem.

When I try with ANY type query I surprisingly got this:

$ nslookup -q=any _acme-challenge.calais.news. ns1.netfirms.com
;; Truncated, retrying in TCP mode.
Server:		ns1.netfirms.com
Address:	65.254.254.157#53

_acme-challenge.calais.news	text = "BbFTewcF8v0XcQUfQjOcI-feLFvpvozBdpFptGRgFm8"

You are right. I just got it also. So that means ns1 is slow to be updated and ns2 is being used as instant with netfirms.com correct?

Will Plesk remain open to continue certificate issuance for 30 minute wait for ns1 to be available? I doubt it. Plesk will auto logout and can’t continue with the issuance of the cert.