Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: test.rafik.sch.id
My web server is (include version): reverse proxy nginx-apache
nginx version: nginx/1.20.2
The operating system my web server runs on is (include version):
CloudLinux 7.9 x86_64
My hosting provider, if applicable, is: Plesk Obsidian 126.96.36.199
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Obsidian 188.8.131.52
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): Using SSL It
More than 3 months i've try to issue domain in Plesk Panel using SSL It! well-known as Let's Encrypt, but I've got trouble like: firewall, lookup AAAA records instead of A Record. I don't use IPv6. Domain I was try is: .COM, .ORG, .SCH.ID, .ID.
I'm try following to make sure that firewall already turn off, and port 80 and 443 opened. Still can't issue Let's Encrypt. A record and Nameserver already pointed on our server. You can check on attachment as image.
I've got response from Plesk development team.
It was verified that:
- Let's Encrypt is working
- The latest versions of the SSL It! and Let's Encrypt extensions are installed on the server
- DNS server is operational. No errors were found in regards to the domain test.example.sch.id in BIND logs on Plesk server
- Subdomain sub.example.sch.id is resolving correctly
- No similar cases reported to us previously.
Additionally, from Let's Encrypt debug you could see that domain is resolved but it failed on step LetsEncryptStaging:
Let's Encrypt using libunbound library for checks. libunbound is located on Let's Encrypt / Let's Debug servers. Not on the Plesk server.
The library requests all DNS servers in a chain, starting from root servers. For domain example.com DNS resolution works in the following way:
It starts from "root" servers, to get who is responsible for ".sch.id" zone
then ".sch.id" is resolved from servers responsible for ".sch.id" zone
then "example.sch.id" is resolved from servers responsible for "sch.id"
then "sub.example.sch.id" is resolved from servers responsible for "example.sch.id"
DNS resolution can fail at any stage, including ".id" zone servers, you could see it in the attached log.
Network stability for UDP/TCP connections from Let's Encrypt servers to DNS servers (root DNS servers, ".id" zone server, "sch.id" zone server, your server) also matters. Troubleshooting of the network should be performed by the server administrator.