Error: Could not issue a Let's Encrypt SSL/TLS certificate for **seline.app** .
The authorization token is not available at http://seline.app/.well-known/acme-challenge/5uwFzlcEua8SulfP8nRemNHu0XKVhuesbTciiPoE3cU.
To resolve the issue, make sure that the token file can be downloaded via the above URL.
[See the related Knowledge Base article for details.](https://support.plesk.com/hc/en-us/articles/115000165013)
Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/uRl43xyhRxLm4nyU7o2HngqctOc4ZJqTkm5ABj1mZ6I.
Details:
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: Invalid response from http://seline.app/.well-known/acme-challenge/5uwFzlcEua8SulfP8nRemNHu0XKVhuesbTciiPoE3cU [70.35.199.155]: "<HTML>\n<HEAD>\n<TITLE>404 Not Found</TITLE>\n<BASE href=\"/error_docs/\"><!--[if lte IE 6]></BASE><![endif]-->\n</HEAD>\n<BODY>\n<H1>No"
My web server is (include version):
The operating system my web server runs on is (include version): CentOS Linux 7.2.1511 (Core)
My hosting provider, if applicable, is:
I can login to a root shell on my machine: Yes
I’m using a control panel to manage my site: Plesk 12.5.30 Update #79
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
So I realize that this .app TLD has special features of somehow getting added automatically to the HSTS preload list. Reading some docs and info on Let’s Encrypt, I was hoping that my Apache settings might allow the renewal over https, but that is not the case.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://seline.app$1 [R=301,L]
I guess my question is what would be the best way for me to renew? Should I try and figure out the manual method?
The Letsencrypt client creates a file in http + /.well-known/acme-challenge. But Letsencrypt follows redirects. So if the https vHost has another DocumentRoot, it's impossible.
Add an exception, so /.well-known/acme-challenge isn't redirected to https.
Some more info. I’m running a VPS on 1and1 (Ionos). I’m not really a server guy and hope I’m not wasting your time. I have 5+ other sites on this server with LE working fine (several years), but this seline.app site does have 2 differences from those others:
I did change the DocumentRoot via Plesk to be at /httpdocs/www as opposed to /httpdocs for my other sites. Perhaps this broke some coordination between the LE plugin and the webserver.
This is the only .app TDL I’m using and I know that they are supposed to default to SSL when requested by a browser. I have no idea what impact this has for the update process.
After the reported renewal failure, I tried the renewal without the rewrite rule, because I know for a fact that to create the initial certificates I cannot have this rule in there. After more searching, I decided that the rewrite rule might be required for the renewal and added it back in.
@JuergenAuer Yes the document roots are the same for http and https. Because HSTS I cannot request http from a browser. But wget seline.app:80 returns the same minimal index.html page with or without my rewrite rule (with the rule I see the 301).
@stevenzhu I just now looked through the KB article. My assumption has been that this must be an issue with the .app TLD. I realize that this is an old version of Plesk. I license Plesk from 1and1. Unsure if I could upgrade or may need to start over with a new VPS package. All my configuration has been through the Plesk interface.
@JuergenAuer With the information, you have supplied, I was able to get the cert updated. I revised the Document Root back to httpdocs, then the update worked via the Plesk plugin.
I’m now wondering if I generated the cert with that document root, then updated it later thus confusing the configuration.