Plesk wildcard certificate renewal fails


#1

OS: Ubuntu 14.04.5 LTS‬
Plesk Onyx Version 17.8.11 Update #20
Let’s Encrypt: Version: 2.6.1-398

Hello,
I have problems with the renewal of all my wildcard domains.
The _acme-challenge TXT entry is set correctly and also can be resolved externally e.g. MX Toolbox.
When I press “Continue” I get an error which says that an incorrect TXT record was found. I don’t have any idea where this record comes from, definately not from the domain’s _acme-challenge txt record:

Where can I find this invalid TXT record?


#2

Hi @Neverlands

please share the list of your domain names you want to have in one certificate.

In “Help”, there is a list of questions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Moved to “Help”


#3

Hello Jürgen,

thanks for your quick reply!

My domain is: neverlands.at

I ran this command: Directly from Plesk interface -> Domains -> Let’s Encrypt

It produced this output: see screenshot in first post

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 14.04.5 LTS‬

My hosting provider, if applicable, is: Host Europe

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Onyx Version 17.8.11 Update #20

One of my wildcard domains (*neverlands.at) includes:

Additionally the certificate is used for mail.neverlands.at and webmail.neverlands.at.


#4

Your nameserver entry:

nslookup -type=txt _acme-challenge.neverlands.at.
_acme-challenge.neverlands.at text =

   "4nNiBbbuFd3bqHvh6T0cDNGFMi-lm5Rh1Jff69kTlYM"

If you want to use one certificate with *.neverland.at neverland.at, you have to create two dns txt entries with the same name

_acme-challenge.neverland.at

not only one entry. Letsencrypt checks all txt entries with this name if there is one with the correct value.

But if you create only one entry and change the value, that can’t work.


#5

Hello Jürgen,

what should the second _acme-challenge record contain?
If I set up a second one manually with a random value it gets deleted during the Let’s Enrypt renewal process.

I have to split up my posts because I only can use one image at a time.

Here is what I do:


Step 1:

As soon as I press the “Renew” button the manually set, second _acme-challenge record entry gets deleted.


#6

Step 2:


#7

Then I check if the new record is there and can be resolved externally:


#8

Step 3:

I once again add a second TXT record manually with random content:


#9

MXTools:


#10

Step 4:

Whether or not I add a second record I receive an error message after pressing the “Continue” button:

Let’s Encrypt says it found an incorrect _acme-challenge record that doesn’t fit the one it set by itself nor the one I manually added before. So it must be looking at another place.


#11

That’s terrible.

You have three active certificates created.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:neverlands.at&lu=cert_search

  1. One only with neverlands.at (03.08.2018)
  2. one with *.neverlands.at neverlands.at (13.07.2018)
  3. one with neverlands.at webmail.neverlands.at www.neverlands.at (04.07.2018)

And you use (2). Did you create all certificates via Plesk?

So one time it worked. Is it possible that there is a list of all active certificates? So you can delete (1) + (3)?

It’s also possible that there is an internal error. If you want a certificate (2), it’s not allowed that the certificate has a third name like www.neverlands.at.

There are curious things:

Your domain:

nslookup -type=txt _acme-challenge.neverland.at.
_acme-challenge.neverland.at    text =

        "11193eb3248b065ba852889311358195e9f21ed6"
_acme-challenge.neverland.at    text =

        "v=spf1 -all"

My own domain with the last working txt entry:

nslookup -type=txt _acme-challenge.server-daten.de.
_acme-challenge.server-daten.de text =

        "d0xivWiWzkAOK5osbODQw6JDUsygUE3bEMTfNvdp4Cc"

First, you have also a SPF record under _acme-challenge. Second, your txt entry

"11193eb3248b065ba852889311358195e9f21ed6"

looks like this is only a hexadecimal coded string. But this is wrong. This must be a base64url-encoded string.

"d0xivWiWzkAOK5osbODQw6JDUsygUE3bEMTfNvdp4Cc"

Is there an update?


#12

PS:

if you want one certificate with two domain names *.neverland.at neverland.at, you get two challenges, so there are two challenge - token (long random values).

So the Letsencrypt-client has to create two entries

_acme-challenge.neverland.at

with two computed values: Token + Hash value of the public key -> SHA256 -> base64url.

Different token -> different values.


#13

Hello Jürgen,
it the meantime I’ve been able to find the solution.
It was all about waiting… I had seen that Let’s Encrypt always found an “incorrect” _acme-challenge record that was one of the old ones that it had set hours before.
So I startet the renewal, waited some hours and then finsihed the process - that was it. Did it with all my other domain wildcards too. Somehow the Let’s Encrypt service gets the new record information much later - even if the record already can be found in other services like MX Tools.

Btw. there is still only one _acme-challenge record in the top level domain DNS records which seems to be the way it should be - Let’s enrypt deletes all other entries during the renewal process anyway …

Many thanks for your efforts,
best regards,
Neverlands


#14

Thanks. Letsencrypt checks the authoritative name server, so the new values should be visible.

But - it works, that’s good! :wink:


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.