Let's Encrypt SSL/TLS certificate installation, issue, renewal failed Print

  • 2

Problem Description

  • You get an error when attempting to install / add or renew a Let's Encrypt certificate
  • You receive an email indicating "Could not secure domains" with details within indicating "Could not renew Lets Encrypt certificates" and that you should login to Plesk and renew them manually.
  • You receive an email notification indicating: Could not issue/renew Let`s Encrypt certificates
  • When renewing your Let's Encrypt certificate in Plesk, you receive an error like: Invalid Response [...] DNS Problem NXDOMAIN looking up A for <domain>

The errors look like this:

Type: urn:acme:error:unauthorized
Status: 403 (or 400, 500, etc)
Detail: <message>

The specific Detail message varies so we're going to cover each common one below, along with solutions to them.

Problem Resolution

Important: all domains and domain aliases that you have included in the SSL certificate must be registered and pointing to your Websavers server for Let's Encrypt to work.

There are various reasons for this kind of failure notice. You will need to read the last line of the error that starts with Detail: to pinpoint exactly what went wrong and how to resolve it.

DNS problem: NXDOMAIN looking up A for <domain>

This message indicates that one of the domains included in the certificate, whether the primary domain, a subdomain, or an alias, is not registered or not pointing to your Websavers server.

If you recently registered the domain, or you have recently changed the DNS to point the domain to our servers, you probably just need to wait a bit longer for the DNS to propagate. In this case, we suggest checking back in a few hours.

Otherwise, resolve this issue you can either make the domain in question live, or edit the list of domains included in the certificate:

  1. If you don't intend for the domain to be live with us, you can: remove the domain from Plesk, exclude the domain from the SSL Certificate, or Delete the SSL certificate. See the bottom of this article for steps to do so
  2. If all domains are registered and live on your hosting with us, and you wish to include them in your SSL certificate, try forcing a DNS flush for your domain in Google Public DNS here. Then use the steps here to manually renew.

Reminder: if your domain isn't live and working on your Websavers hosting then you will not be able to have a free SSL certificate for it. Free SSL certificates can only be generated by the provider where the website is hosted.

Incorrect TXT record "{STRING}"

This means you're attempting to use a wildcard SSL certificate, which you must manually renew in Plesk every 3 months. If you don't want to do this, then get rid of the wildcard certificate by  reissuing the certificate. Be sure to un-check the Wildcard Certificate option.

403, 500, or 404

The error will likely also say "Invalid response" from a URL with certbot (or letsencrypt) in it.

This should be a temporary error from the Let's Encrypt servers. If it's a 404, the most likely explanation is that you've removed the .well-known folder in your web root. Manually retrying the renewal will recreate the folder with a new validation file. Follow the steps here to manually renew your SSL certificate

Simply try again later by using the link above to attempt a manual renewal.

403, 404, 301, or 302 error

In most cases this means the .htaccess or nginx rewrite rules for the domain are blocking Let's Encrypt's validation system. Check your web server configuration rules to ensure nothing is blocking access to the .well-known directory in your web root.

403 error with detail: Invalid Response from [...]

This can occur when one of the domains that's part of the certificate has expired. The solution to this issue is the same as "DNS Problem" above -- see the steps there to resolve.

Missed domain names failed to pass validation: webmail.<your_domain>

As long as this includes "webmail." at the start, you can fix this by logging in to Plesk > choose Mail Settings for the domain > choose webmail > select "None". The next time Let's Encrypt renewals are processed, you will no longer receive this error.

Rate limit exceeded

The server exceeded it's rate-limit with Let's Encypt's API and was unable to process a renewal. The error will indicate how long the server has been temporarily blocked for, so you can retry your renewal after that period of time has passed.

Temporary communication issue between our server and Let's Encrypt's API prevented a successful renewal.

Try again in 24 hours.

CAA record for <domain> prevents issuance

This means you've created at least one CAA record in your domain's DNS settings/zone and none of them include Let's Encrypt. CAA records are good for security, they restrict which certificate issuers are allowed to issue certs for your domain, however if you add one or more of them and do not also add Let's Encrypt, they will be unable to issue your certificate. You can create multiple CAA records, and so to resolve this, go to wherever your DNS is hosted and add a CAA record that points to: letsencrypt.org. More details on the Let's Encrypt documentation here.

Must agree to subscriber agreement before any further actions

When you go to add or renew the certificate, change the email address that is associated with the cert. This will force a new subscriber agreement to be sent to the differing email address and should result in a successful SSL cert being generated and applied to your domain.


Error not shown here...

If you receive an error that is not described above with a solution, please create a support ticket indicating that you were unable to manually renew your Let's Encrypt SSL certificate and copy and paste the error message into the ticket. Important note: without the error message we cannot help.

My domain or subdomain is intentionally not live with Websavers

There are three ways to stop the Let's Encrypt notifications for a domain that is intentionally not live on your hosting with us:

  1. Remove Domain from Plesk: If the domain is found either as a domain or an alias in Plesk, but it's no longer registered and/or you don't need it anymore, simply remove the domain or alias in Plesk then continue with the steps below.
  2. Exclude Domain from SSL: If <domain> in the error is a domain alias or subdomain, use the steps here to manually renew your SSL certificate and be sure to uncheck the subdomains or domain alias which is causing the problem.
  3. Delete the SSL Certificate: If you no longer need the SSL certificate at all (for example, when the website is no longer hosted with us), you can remove the certificate.

Was this answer helpful?

← Back