Renouvellement de certificat sous plesk


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: anoukis-m.com

I ran this command: on plesk I put renew button (automaticly renew not work too)

It produced this output:
Erreur: Impossible d’émettre le certificat SSL/TLS Let’s Encrypt pour anoukis-m.com . Échec de l’autorisation pour le domaine.
Détails

Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/f8bm9rcaGv_Lei-uDMICgojEpHbUPKAntG1As3hQBRw.
Details:
Type: urn:acme:error:connection
Status: 400
Detail: Fetching http://www.anoukis-m.com/.well-known/acme-challenge/-nmyEUyGsHbQJqK2LkRkAmF47n-_R5NJfDqyh7gLHvY: Error getting validation data

My web server is (include version): Plesk

The operating system my web server runs on is (include version): Centos 6.10

I can login to a root shell on my machine (yes or no, or I don’t know): yes (but I’m begginer on this)

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk 17.8.11

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 2.7.3-474


#2

Hi @Nono66

you have ipv4- and ipv6 - addresses (checked with https://check-your-website.server-daten.de/?q=anoukis-m.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
anoukis-m.com A 188.165.250.201 yes 2 0
AAAA 2001:41d0:2:c5c9:: yes
www.anoukis-m.com C anoukis-m.com yes 1 0
A 188.165.250.201 yes
AAAA 2001:41d0:2:c5c9:: yes

But your ipv6 doesn’t work:

Domainname Http-Status redirect Sec. G
http://anoukis-m.com/
188.165.250.201 301 http://www.anoukis-m.com/ 0.050 D
http://www.anoukis-m.com/
188.165.250.201 301 https://www.anoukis-m.com/ 1.350 A
http://anoukis-m.com/
2001:41d0:2:c5c9:: -14 10.016 T
Timeout - The operation has timed out
http://www.anoukis-m.com/
2001:41d0:2:c5c9:: -14 10.030 T
Timeout - The operation has timed out
https://anoukis-m.com/
188.165.250.201 301 https://www.anoukis-m.com/ 0.513 B
https://anoukis-m.com/
2001:41d0:2:c5c9:: -14 10.026 T
Timeout - The operation has timed out
https://www.anoukis-m.com/
188.165.250.201 200 1.237 I
https://www.anoukis-m.com/
2001:41d0:2:c5c9:: -14 10.010 T
Timeout - The operation has timed out
http://anoukis-m.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
188.165.250.201 301 http://www.anoukis-m.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.050 D
Visible Content: Moved Permanently The document has moved here .
http://anoukis-m.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:41d0:2:c5c9:: -14 10.026 T
Timeout - The operation has timed out
Visible Content:
http://www.anoukis-m.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
188.165.250.201 404 0.050 A
Not Found
Visible Content: 404 Not Found Not Found The requested document was not found on this server. Web Server at anoukis-m.com
http://www.anoukis-m.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:41d0:2:c5c9:: -14 10.024 T
Timeout - The operation has timed out

Ipv4 has a - correct - http status 404 (Not Found). But ipv6 has a timeout.

Is there a firewall? Is ipv6 configured?

If not, remove the ipv6 AAAA dns entry.


#3

Thanks for answer.

  • I don’t have Firewall.
  • I think ipv6 is configured, I can ping6 2001:41d0:2:c5c9:: from another server, and ping is ok
  • I try to remove IPv6 for the domain (AAAA too) but the renew not work more … may be renew take information from secondary DNS in priority ?

I don’t have change anything before the last renewed on the server, and all renew (anoukis-m.com, geneworld.net, mangavortex.com, …) are broken.

I can’t know if my version of let’s encrypt is the last one … it’s the last who plesk give me but may be not the last one ?


#4

Ping isn’t enough. Your webserver doesn’t work.

10 seconds no answer -> timeout. Your ipv4 answers in 0,05 seconds.


#5

You speak from Apache ?

Apache “Listen 80”

In virtualhost I have : <VirtualHost [2001:41d0:2:c5c9::]:80 >
same for :443 and same for ipv4


#6

That looks good.

I see, you recheck your domain ( https://check-your-website.server-daten.de/?q=anoukis-m.com ).

My tool doesn’t see your ipv6 webserver.

And Letsencrypt prefers ipv6, so this error is critical.

Or: Remove your ipv6 entry, create a new certificate, add the ipv6 and try to fix it.

But your ipv4 is blocked:

ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 188.165.250.201:443

That looks like a firewall.


#7

I try modify apache configuration file, but I make an error and break ipv4 connexion, after a rollback is good for ipv4 in the recheck for the domain.
I’m going to try without ipv6 because I don’t see why ipv6 connexion are blocked :frowning:
Thanks for your help (and sorry for my english).


#8

If I remove ipv6 for the domain, I may delete certificate and create new one, or can I renew the old one ?


#9

I try on another domain, when I remove ipv6, I stand synchronisation of the two DNS, I can create a new certificate.


#10

Don’t delete a certificate.

Try to create a new.