I ran this command: I requested a new Let's Encrypt certificate through Plesk as normal. I have tried this several times over the past two days, each time updating the txt record to the DNS for the domain through my host as advised and waiting for several hours. I recently followed this same process for a different domain and the process worked very smoothly.
It produced this output: Could not issue an SSL/TLS certificate for Littlelumtinperrywall.info
Details
Could not issue a Let's Encrypt SSL/TLS certificate for Littlelumtinperrywall.info. Authorization for the domain failed.
Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/105906683/676670515501
Details:
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.Littlelumtinperrywall.info - check that a DNS record exists for this domain
My web server is (include version): Plesk Obsidian 18.0.76 Update #3
Web Host Edition
The operating system my web server runs on is (include version): ubuntu ???
My hosting provider, if applicable, is: Fasthosts, UK
I can login to a root shell on my machine (yes or no, or I don't know): I don't know
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not sure
What did you do to verify the TXT record existed before pressing Continue? The "can be resolved externally" looks like a link with instructions.
Some DNS providers take some time before the newly added TXT record is available world-wide. It is not dependent on TTL propagation but there is still some DNS provider sync of their servers that must occur.
Sometimes this is only 20-30s. Other times can be a few minutes and in the slowest cases maybe an hour (but that is very rare). This depends solely on the DNS provider (LiveDNS?).
message say Please add a DNS record with the following parameters...
so it looks like plask doesn't have access to DNS API and ask user to manually add dns record
I added / updated the txt item from Plesk Lets encrypt SSL into my DNS record (see attached example) with my domain host each time I requested an SSL but am not sure how to verify the record existed.
So each time I tried to create it, I left the page in Plesk open between a few minutes to a few hours before clicking continue. Yesterday, I tried to create the ssl mid afternoon, updated the DNS record and left it overnight - probably 12 hours. When I logged back in today and clicked continue, I checked the list of SSLs and it still hadnt been added.
I'm comparing it with an ssl I created for another domain recently. Once the dns had updated to point to my server, I created the wordpress environment for it and then created the SSL for it immediately after, and it worked. Same domain host, same web server (Plesk) same cert (Lets go).
I am wondering if its something to do with the domain extension. This one is a .info where the successful one was a .co.uk
So are you saying I should try to create the SSL again, update the txt record in my DNS record with my domain host (as I have been) but then check the txt record has been added via somewhere else ??? I'm guessing if it hasnt in a week, I should contact my domain host as that could be the issue ??
Sounds like you have waited more than enough time. A good place to check for its existence is https://unboundtest.com
It uses a similar technique as Let's Encrypt for query of TXT records
Five minutes is usually well more than needed for all but the very slowest DNS providers. And, really the best are like 15-30s. Even an hour usually points to a different problem.
I highly doubt the different TLD is related.
Are you sure this domain uses the same authoritative DNS servers as the others that work? This site littlelumtinperrywall.info | DNSViz
shows them as ns{1,2,3}.livedns.org.uk
Is that the place you are updating? Is that the same as the others that work?
I found a tool for checking if txt records (nslookup.io) exist in domain records. Just checked that one existed for the domain I set up earlier (where the certificate creation was immediate).
That domain doesnt have a text record. See attached. Weird. Yet it has a Lets Go SSL cert and all seems to be working fine with it on the site.
yes, those name servers are the same ones as used with the domain for which the cert was successfully added. I just checked the host record. And they are the same as for the other sites on the same web server.
The only thing I can think of is whether its something to do with the .info extension.
There is one more thing I think I will try, and that is to delete the environment and recreate it. When creating the SSL yesterday within Plesk, I removed the admin email address. Wondering if that might have caused this problem.
Its the only other thing I can think of trying, so any ideas most welcome.
Did you request a wildcard cert for that domain too? I am not expert with Plesk but in your first post it said you requested a wildcard cert. That requires a DNS Challenge and a TXT record.
But, if not a wildcard cert a system can use an HTTP Challenge. That uses HTTP requests rather than DNS TXT records. I don't know how Plesk chooses which to use other than it must use DNS Challenge for wildcard (everyone must).
I'm signing off but I am sure someone else will be able to help if none of this works out.
I don't think it is related to TLD or admin email Rebuilding might help if nothing else does
Even though my issue has now been resolved by deselecting the wildcard option, I went back and had another look at the message I received from the Let's Encrypt widget in Plesk and you are right.
Rebuilding might help if nothing else does