Let's Encrypt SSL Certificate Troubleshooting Print

Let's Encrypt SSL Certificate Issues

Troubleshoot common problems with Let's Encrypt SSL certificate issuance and renewal.

How Let's Encrypt Works

Let's Encrypt uses HTTP validation to verify domain ownership:

1. Plesk creates a validation file in /.well-known/acme-challenge/
2. Let's Encrypt servers try to access this file via HTTP
3. If successful, certificate is issued
4. Certificates auto-renew every 60-90 days

Common Error Messages

Error: "Domain validation failed"

Causes:

• DNS not pointing to the server
• HTTP blocked or redirected before validation
• Firewall blocking Let's Encrypt servers
• www vs non-www mismatch

Error: "Too many certificates already issued"

Cause: Let's Encrypt rate limits (50 certificates per domain per week)

Solution: Wait a week before trying again

Error: "Authorization for domain failed"

Cause: Validation file not accessible

Solution: Check URL rewriting rules

Troubleshooting Steps

1. Verify DNS Points to Server

• Use nslookup yourdomain.com to check IP
• Ensure both www and non-www resolve to your server
• Wait for DNS propagation (up to 48 hours)

2. Check HTTP Access

Test that HTTP (port 80) works for your domain:

# Test in browser:
http://yourdomain.com/.well-known/acme-challenge/test

# Should NOT redirect to HTTPS during initial validation

3. Temporarily Disable HTTPS Redirect

If you have forced HTTPS, temporarily allow HTTP for validation:

<!-- web.config - Allow acme-challenge folder over HTTP -->
<rule name="HTTPS Redirect" stopProcessing="true">
  <match url="(.*)" />
  <conditions>
    <add input="{HTTPS}" pattern="^OFF$" />
    <!-- Exclude acme-challenge from redirect -->
    <add input="{REQUEST_URI}" pattern="^/\.well-known/acme-challenge/" negate="true" />
  </conditions>
  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>

4. Check for Blocking Rules

Ensure nothing blocks the validation path:

• ModSecurity/WAF rules
• IP blocking
• Geographic restrictions
• Authorization rules in web.config

Manual Certificate Renewal

In Plesk:

1. Go to Websites & Domains
2. Click SSL/TLS Certificates
3. Find the Let's Encrypt certificate
4. Click Reissue Certificate

Multiple Domain Certificates

When securing www and non-www (or subdomains):

• Select all domains/subdomains when requesting certificate
• Each domain must pass validation
• DNS must be configured for ALL included domains

Alternative: Using a Different SSL Provider

If Let's Encrypt continues to fail:

• Purchase a commercial SSL certificate
• Use Plesk's built-in certificate options
• Contact support for manual certificate installation

Preventing Renewal Failures

1. Keep DNS properly configured
2. Don't block HTTP entirely (or exclude acme-challenge)
3. Monitor certificate expiration dates
4. Set up email notifications for expiring certificates

When to Contact Support

• Validation repeatedly fails despite correct setup
• Certificate shows as issued but site shows insecure
• Need help with complex multi-domain certificates
• Certificate installed but not applying correctly