Unable to obtain Let's Encrypt SSL certificate [...] Error getting validation data

Trying to renew the certificate using Plesk, get the following error:

Unable to obtain Let’s Encrypt SSL certificate because of failed challenge for domain “mydomain.com”:
Fetching http://mydomain.com/.well-known/acme-challenge/zwA3zX2LHYAF64CPDSsYsT6LaJLjUo-532baZouDbmc: Error getting validation data

Is there any way to remove the certificate from Plek and install it again?
Should I try to renew from command line (using CentOS)?

Thanks for your help.

Hi @mamorte,

If you post your domain name, people might notice DNS problems or other problems that could be causing this error. Something like this has often been related to DNS configuration errors.

Hi @schoen.
Thank you for your reply.
My domain is https://plantanaturalparaempresa.es/
I don’t think the problem is related with DNS, but any help is welcome.
There was no problem with the certificate before, just when try to renew it.

DNS does look good as far as I can tell - are you able to place a test file in .well-known/acme-challenge and load that in a browser?

The problem was in the “Additional Nginx Directives” (Content Security Policy, Strict Transport Security and Public Key Pins), probably due a bad configuration.
Removing these headers the certificate has been renoved without problems.

Is Let’s Encrypt compatible with Content Security Policy, Strict Transport Security and Public Key Pins headers?

@jared.m, @schoen, thank you for your help.

The validation server is completely unaffected by those headers. There may have been an issue with the web server configuration, and the settings for those headers may have been involved (for example, issues with how the location blocks in the Nginx configuration were arranged), but the headers have no direct bearing on the validation server.

In general, you can and (often) should use CSP and HSTS.

HPKP is dangerous and difficult to configure safely. When pinning CA roots, you should pin more than 1, and, well, Let's Encrypt is only one CA. When pinning certificate keys, some popular Let's Encrypt clients may prefer to always generate new keys and make it difficult to use a specific one, but you certainly can; you may just have to configure something or switch clients.

It's not possible for a CA to be inherently incompatible with CSP, HPKP or HSTS, except that it may be difficult to pin a CA's root or intermediate certificates if they don't consistently use the same ones.

1 Like

Thank you @mnordhoff for your explanation. I will keep CSP and HSTS removing HPKP.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.