Install SSL certificate issue

Farid · May 16, 2023, 5:59pm

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: AWS Lightsail with Plesk

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk

I can't install SSL certificate into my domain venus-dating.com when I try to do it through Plesk I'm getting the issue below:
2a0xxxxxxxxxxxec: Invalid response from http://venus-dating.com/.well-known/acme-challenge/Nmrm656mA4t9D1SNlLRzwfQU8MnSLTE40rZmMq1ME1c: 404

I used to host my domain with Contabo and it was working perfectly (installation, renewal...) but since I moved the domain and DNS management to AWS Lightsail & AWS Route53 I can't install SSL through Plesk.
It seems like with Contabo, Let's encrypt was able to update automatically DNS entry (CNAME) on each renewal, but it seems to be not working like this with Route 53.

Domain & Website files are located in Plesk.

Any help will be very appreciated!

rg305 · May 16, 2023, 6:03pm

Hi @Farid, and welcome to the LE community forum

It is hard to say for sure what the problem is; As your site is not open to everyone.
As a test, I would try removing the AAAA record from DNS.

Farid · May 16, 2023, 7:14pm

Hi,
What do you mean by the site is not open to everyone?
I will remove AAA entries which have been generated automatically by Plesk but not sure that will solve thé issue as they weren't set before.

Osiris · May 16, 2023, 7:20pm

From my point of view, IPv4 and IPv6 seem to point to the same server.

Experience with Plesk on this Community is fairly limited, you might have more success with a Plesk-specific Community.

rg305 · May 16, 2023, 7:22pm

Bruce5051 · May 16, 2023, 7:25pm

And also shown here Permanent link to this check report

Bruce5051 · May 16, 2023, 7:28pm

Port 443 (for HTTPS) is closed on both IPv6 and IPv4 addresses

>nmap  -6 -Pn -p80,443 venus-dating.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-16 19:26 UTC
Nmap scan report for venus-dating.com (2a05:d012:890:6e00:ad30:705e:dd26:64ec)
Host is up (0.13s latency).
Other addresses for venus-dating.com (not scanned): 35.181.129.231

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds

>nmap -4 -Pn -p80,443 venus-dating.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-16 19:26 UTC
Nmap scan report for venus-dating.com (35.181.129.231)
Host is up (0.14s latency).
Other addresses for venus-dating.com (not scanned): 2a05:d012:890:6e00:ad30:705e:dd26:64ec
rDNS record for 35.181.129.231: ec2-35-181-129-231.eu-west-3.compute.amazonaws.com

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Farid · May 16, 2023, 7:34pm

Oh...good to know that.
I confirm that Ipv4 and IPv6 are pointing to the same server.
Should I disbale IPV6?
Is there a CLI command to open port 443?

Bruce5051 · May 16, 2023, 7:35pm

Here is a list of issued certificates https://crt.sh/?q=venus-dating.com

And here are the DNS Records DNS Spy report for venus-dating.com; not the wildcard crt.sh | 9402815424 (i.e. *.venus-dating.com) can cover all the servers the other one just venus-dating.com & www.venus-dating.com

Farid · May 16, 2023, 7:51pm

@Bruce5051 Many thanks for these useful tips as I'm a newbie and started to launch my server.
So If I'm correct, SSL certificate is correctly installed on domain venus-dating.com, right?

Then I just have to open port 443?
If yes, how can I perform this?
What would be your recommandations?

Many thanks for your help

Bruce5051 · May 16, 2023, 7:54pm

@Farid I cannot test if the TLS Certificate is installed properly or not, as Port 443 is not Open from my perspective.

Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.

rg305 · May 16, 2023, 7:54pm

Within the AWS control panel.

Farid · May 16, 2023, 7:56pm

@rg305 according to AWS Lightsail, the port 443 is open:

Bruce5051 · May 16, 2023, 7:59pm

However this is what I see from my location (IPv4 only from my ISP).

443/tcp closed https

$ nmap -4 -Pn -p22,53,80,443,8443,8447 venus-dating.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-16 19:58 UTC
Nmap scan report for venus-dating.com (35.181.129.231)
Host is up (0.16s latency).
Other addresses for venus-dating.com (not scanned): 2a05:d012:890:6e00:ad30:705e:dd26:64ec
rDNS record for 35.181.129.231: ec2-35-181-129-231.eu-west-3.compute.amazonaws.com

PORT     STATE  SERVICE
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
443/tcp  closed https
8443/tcp open   https-alt
8447/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Now the certificate being served on Port 8443 is

$ openssl s_client -showcerts -servername venus-dating.com -connect venus-dating.com:8443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = compassionate-cori.35-181-129-231.plesk.page
verify return:1
---
Certificate chain
 0 s:CN = compassionate-cori.35-181-129-231.plesk.page
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 15 08:42:36 2023 GMT; NotAfter: Aug 13 08:42:35 2023 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgISBPy6hfWSGFGiLsAuPuXGe0mSMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA1MTUwODQyMzZaFw0yMzA4MTMwODQyMzVaMDcxNTAzBgNVBAMT
LGNvbXBhc3Npb25hdGUtY29yaS4zNS0xODEtMTI5LTIzMS5wbGVzay5wYWdlMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAycO6eBJB87h6yH/xhQpgC3SD
aRaiDzKvKo7AnN3JNhy2XaHxy4E3aCR2q7EFKl2sOSZ8XiJhRPdF9imLeIkfC4so
EMKmbwGFycv0WWuoYOm7KqSYBNNRE1OUVvvPA3OJhUxz5mymnYE/RspRRb1MFljo
q843Q8x816+Q4PZikR2sZLhp7zX76mVm4WZlHVEvklI4+99kJOw2gYyushIFpp0F
dW0at0Bk2S6/rqz5ZB33gQLG1E25xOLvywkJTIaud8PhXO6RD+VClXqyCbVD9GsR
p6PVAznJ6SAi5y+zn9kQJyQmCthCqrtgOmaacaq6rzsmfh0qhH81rJAHjvJ4JwID
AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSbJKCF/SAFa4qA9nWt
jWpGg8cfbzAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEF
BQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggr
BgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzA3BgNVHREEMDAugixjb21w
YXNzaW9uYXRlLWNvcmkuMzUtMTgxLTEyOS0yMzEucGxlc2sucGFnZTBMBgNVHSAE
RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3
ALc++yTfnE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABiB7KVogAAAQDAEgw
RgIhAP/9tE02dAlaudaF7L4EZoBQwg3tMafEWiOANPQeV01XAiEA3r+j1a+zhVJ9
vI4wcuZDXU/aBMSEyVfS92RacHYIWAAAdwB6MoxU2LcttiDqOOBSHumEFnAyE4VN
O9IrwTpXo1LrUgAAAYgeylaoAAAEAwBIMEYCIQDgZ0t6yUFO/Is7qTLMN+juyQlK
7duAB5WcFrrDnJHoFgIhAO+Ea6Ww2O1aA+JdGiDGJWQL3kA5ANjRejGDCbW8ySto
MA0GCSqGSIb3DQEBCwUAA4IBAQB5+YXP2NbJ2zbar3/VZ3AXiYaXtwRcspEaGJr5
CnLJGBIc8dpt5ImrvrF+GBzt0qLESEK9lW3yoJdorWo8LoO5iNePctbip6JmEHzV
taycgrGe2gJI2meQE5iSTVxfP5/7IHSTLyIGOBEkACjWyHYm6LOPXcfWpCONUv+M
xO4LRkKRPlXx/fykpBnD6BtvzYPoiFAMRl4adJ1neJkWbYu5qYfoiHoXIekr2S8J
q5igKYlqAX1b6uKtiEdecIirHvoNXjuT/rNELY51U7hkc2nUWGNEvob54uSnYHg+
UpV1IEf9ozpYTG3JOiJhH5wQo+6rLPFt1Lf5dTUSiXeaDwmj
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = compassionate-cori.35-181-129-231.plesk.page
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4636 bytes and written 398 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

Farid · May 16, 2023, 8:15pm

Alright!
I ran the command below but port 443 is still closed....

rg305 · May 16, 2023, 8:16pm

Please show:
netstat -pant | grep -i listen

Osiris · May 16, 2023, 8:19pm

Closed just means there isn't an application listening on that port.

Farid · May 16, 2023, 8:19pm

PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain

tcp6 0 0 :::106 :::* LISTEN -

tcp6 0 0 :::4190 :::* LISTEN -

tcp6 0 0 :::80 :::* LISTEN -

tcp6 0 0 :::143 :::* LISTEN -

tcp6 0 0 :::8443 :::* LISTEN -

tcp6 0 0 :::7080 :::* LISTEN -

tcp6 0 0 :::7081 :::* LISTEN -

tcp6 0 0 :::995 :::* LISTEN -

tcp6 0 0 :::993 :::* LISTEN -

tcp6 0 0 :::8880 :::* LISTEN -

tcp6 0 0 fe80::4f1:4cff:fe3e::53 :::* LISTEN -

rg305 · May 16, 2023, 8:20pm

So... nothing has been set to listen on 443.

Farid · May 16, 2023, 8:27pm

So, what should I do?

Topic		Replies	Views
Certificate not installing Help	4	1523	March 19, 2020
Cant validate data Help	3	741	May 17, 2018
Cannot install SSL Certificate Help	10	1448	October 5, 2020
Could not issue a Let's Encrypt SSL/TLS certificate for AWS Lightsail Plesk Server Help	13	4944	July 10, 2020
Repeatedly https not working on Plesk Help	7	1938	March 1, 2019

Install SSL certificate issue

Related topics