Plesk Plugin cannot renew .app TLD

My domain is:

I ran this command: Plesk Plugin to Renew Cert

It produced this output:

Error: Could not issue a Let's Encrypt SSL/TLS certificate for  **** .

The authorization token is not available at
To resolve the issue, make sure that the token file can be downloaded via the above URL.
[See the related Knowledge Base article for details.](

Invalid response from
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: Invalid response from []: "<HTML>\n<HEAD>\n<TITLE>404 Not Found</TITLE>\n<BASE href=\"/error_docs/\"><!--[if lte IE 6]></BASE><![endif]-->\n</HEAD>\n<BODY>\n<H1>No"

My web server is (include version):

The operating system my web server runs on is (include version): CentOS Linux 7.2.1511 (Core)‬

My hosting provider, if applicable, is:

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: Plesk 12.5.30 Update #79

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

So I realize that this .app TLD has special features of somehow getting added automatically to the HSTS preload list. Reading some docs and info on Let’s Encrypt, I was hoping that my Apache settings might allow the renewal over https, but that is not the case.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*)$1 [R=301,L]

I guess my question is what would be the best way for me to renew? Should I try and figure out the manual method?

TIA, Eric

Hi @EricElf

have http and https the same DocumentRoot?

The Letsencrypt client creates a file in http + /.well-known/acme-challenge. But Letsencrypt follows redirects. So if the https vHost has another DocumentRoot, it’s impossible.

Add an exception, so /.well-known/acme-challenge isn’t redirected to https.

1 Like


Do you own this Plesk server?
If so, you might want to upgrade your Plesk to Plesk Onyx, which has better features and are the current version…

Did you try to follow the KB provided in that response? (

Did you edit any virtual host (website) configuration manually (i mean, not through the Plesk interface)?

Thank you

@JuergenAuer, @stevenzhu first thanks for the quick replies!

Some more info. I’m running a VPS on 1and1 (Ionos). I’m not really a server guy and hope I’m not wasting your time. I have 5+ other sites on this server with LE working fine (several years), but this site does have 2 differences from those others:

  • I did change the DocumentRoot via Plesk to be at /httpdocs/www as opposed to /httpdocs for my other sites. Perhaps this broke some coordination between the LE plugin and the webserver.
  • This is the only .app TDL I’m using and I know that they are supposed to default to SSL when requested by a browser. I have no idea what impact this has for the update process.

After the reported renewal failure, I tried the renewal without the rewrite rule, because I know for a fact that to create the initial certificates I cannot have this rule in there. After more searching, I decided that the rewrite rule might be required for the renewal and added it back in.

@JuergenAuer Yes the document roots are the same for http and https. Because HSTS I cannot request http from a browser. But wget returns the same minimal index.html page with or without my rewrite rule (with the rule I see the 301).

@stevenzhu I just now looked through the KB article. My assumption has been that this must be an issue with the .app TLD. I realize that this is an old version of Plesk. I license Plesk from 1and1. Unsure if I could upgrade or may need to start over with a new VPS package. All my configuration has been through the Plesk interface.

Does this info help at all? Eric


Then you should ask in the Plesk forum. That should not happen, but maybe it’s a bug there.

That’s not relevant. *.app is preloaded, that’s excellent. But that affects only browsers, not tools like Letsencrypt.

Minimal http (without a redirect) should work. The rewrite rule isn’t required.

One hour earlier, there were two redirects ( ):

http -> https and https + www -> https + non-www.

Perhaps create a test file in /.well-known/acme-challenge and check that file directly.

1 Like

@JuergenAuer With the information, you have supplied, I was able to get the cert updated. I revised the Document Root back to httpdocs, then the update worked via the Plesk plugin.

I’m now wondering if I generated the cert with that document root, then updated it later thus confusing the configuration.

Thanks for your time! Eric


Sounds like a bug if this is required.

1 Like