Installing LetsEncript SSL Through Plesk

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tac.email

I ran this command: install script through plesk

It produced this output: Started issuing a wildcard SSL/TLS certificate from Let's Encrypt for the domain tac.email.

Please wait while Plesk finishes adding a DNS record with the following parameters:
Record type: TXT
Domain name: _acme-challenge.tac.email
Record: 3DzlkkU4sfke3TfRnz19C4BPH0wYuiphJBPGCnsyS4A

To terminate and delete the existing certificate request, click "Cancel".

Before clicking "Reload", make sure that the DNS record was added and can be resolved externally.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Ionos

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

What exactly is your question?

Also, you seem to have gotten issued a wildcard certificate 9 days ago. What was wrong with that one or what happened to it?

4 Likes

my question is why do I keep getting certificate not valid when I visit the domain, and about the wild card, i don't know, I am new to this, all I did was install it through the plesk control panel and the error above is what I get when trying to install, that's my problem

this is what I get

  • [2023-04-18 20:26:10.238] 102274:643efce2396dc ERR [extension/letsencrypt] The execution of cli.php has failed with the following message: [2023-04-18 20:26:10.198] 102279:643efce15fc9d ERR [extension/letsencrypt] Domain validation failed for www.tac.email: Failed to retrieve authorization for 'www.tac.email' [2023-04-18 20:26:10.205] 102279:643efce15fc9d ERR [extension/letsencrypt] Domain validation failed: Failed to retrieve authorization for 'www.tac.email' Failed to retrieve authorization for 'www.tac.email' The execution of cli.php has failed with the following message: [2023-04-18 20:26:10.198] 102279:643efce15fc9d ERR [extension/letsencrypt] Domain validation failed for www.tac.email: Failed to retrieve authorization for 'www.tac.email' [2023-04-18 20:26:10.205] 102279:643efce15fc9d ERR [extension/letsencrypt] Domain validation failed: Failed to retrieve authorization for 'www.tac.email' Failed to retrieve authorization for 'www.tac.email'

Because your server is not serving a issued certificate; this certificate is self signed.
Please configure your server to use the issue certificate and restart the server or the service.

$ openssl s_client -showcerts -servername tac.email -connect tac.email:443 < /dev/null
CONNECTED(00000003)
depth=0 C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = info@plesk.com
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = info@plesk.com
verify return:1
---
Certificate chain
 0 s:C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = info@plesk.com
   i:C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = info@plesk.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Apr 17 04:49:21 2023 GMT; NotAfter: Apr 16 04:49:21 2024 GMT
-----BEGIN CERTIFICATE-----
MIIDejCCAmKgAwIBAgIEZDzP0TANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJD
SDEVMBMGA1UEBwwMU2NoYWZmaGF1c2VuMQ4wDAYDVQQKDAVQbGVzazEOMAwGA1UE
AwwFUGxlc2sxHTAbBgkqhkiG9w0BCQEWDmluZm9AcGxlc2suY29tMB4XDTIzMDQx
NzA0NDkyMVoXDTI0MDQxNjA0NDkyMVowYzELMAkGA1UEBhMCQ0gxFTATBgNVBAcM
DFNjaGFmZmhhdXNlbjEOMAwGA1UECgwFUGxlc2sxDjAMBgNVBAMMBVBsZXNrMR0w
GwYJKoZIhvcNAQkBFg5pbmZvQHBsZXNrLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKAZSKvIJxJc74GukJiM2jTVPOBNtqlc8Vu+oCn2kA/40K/C
3BQlVxAaKNCQB+aL8FDplKfQicCuwa5AWW8WWuvnfWVDPqC0H/D0dKNSreNhox94
iMIL22mLh1Bom+c1c82WcuWV72BksVjILsKuT1512uJ5G8wodZFNbwHH1N1Ns743
8rEkyJZGzRxMEtdLX41pIspDGoxIZh89T6lAAYRH+9UJ/QE9BKlNKenIr2p/0CRh
xwLSegsBN/QHmDlyAd7eYg4X/kcHnvjr2zk6yxVIqP4arcXMDnSZ8WEtX0F51v1X
yD4BzIrShhCZoi6JmsQgPw0BST6h7tj06Uzyh3UCAwEAAaM2MDQwEwYDVR0lBAww
CgYIKwYBBQUHAwEwHQYDVR0OBBYEFDYuSUjPq0OBH/hAw8XqMbXY6UdPMA0GCSqG
SIb3DQEBCwUAA4IBAQAMoD7gnFHEkp9Pa1RtKowxJXmsDwbe8BOpav3Z8v53wiWZ
dDmAwr5jd1+mhtT8PR4DHEis/mLGlDN5IULQOOPmqWW1K2j+OYZePtHhC3+D1i6R
5XOb+NeWgSfexKVqG+iq+Cp7XKG9+CsLwuVKPMhcDTbRlYbYO4+q2lMtLseM6VJ7
3q+bDmoeRxXhu2uQ/bYfh78q5GFHD+113BNNxdhz/qSPBIQvys010dJIgxXvHTJM
XWGnzs0Dp3Z4DnPc8QdQqrq3SGTbtRBfWhyYkj4detDy5Ty+tAXI+yZ3z0iqMtrA
H/S43zV8+Xh+/FnvwOWsSzlz/8EOgZR8FL5hAW8n
-----END CERTIFICATE-----
---
Server certificate
subject=C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = info@plesk.com
issuer=C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = info@plesk.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1454 bytes and written 391 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
DONE
1 Like

Yet using the online tool SSL Server Test (Powered by Qualys SSL Labs) shows "Alternative names competent-gauss.198-71-63-158.plesk.page MISMATCH" results here SSL Server Test: tac.email (Powered by Qualys SSL Labs)

So there are at least 2 domain names, tac.email and competent-gauss.198-71-63-158.plesk.page, presently mapping to the IPv4 Address of 198.71.63.158; that is not a problem. But make sure the server is correctly setup to get certificates for the correct domain name.

$ nslookup competent-gauss.198-71-63-158.plesk.page
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   competent-gauss.198-71-63-158.plesk.page
Address: 198.71.63.158
$ nslookup tac.email
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   tac.email
Address: 198.71.63.158

How do I configure the server to use the certificate? Also when I go to the lets encrypt add on and I click install, I get this message

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/220545289987.

Details:

Type: urn:ietf:params:acme:error:dns

Status: 400

Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.tac.email - check that a DNS record exists for this domain

https://i.imgur.com/BFOnkzo.png

For general nginx information you might find nginx documentation and https://forum.nginx.org/ helpful.

For DNS-01 challenge please read Challenge Types - Let's Encrypt
and a list of DNS providers who easily integrate with Let's Encrypt DNS validation

1 Like

The current cert doesn't cover the "www" name:
SSL Server Test: tac.email (Powered by Qualys SSL Labs)
SSL Server Test: www.tac.email (Powered by Qualys SSL Labs)

3 Likes

A post was split to a new topic: Problem getting cert on Plesk

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.