• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Input Let's Encrypt false positive 403 response when used with certain e-mail addresses

Bitpalast

Bitpalast

Plesk addicted!
Plesk Guru
We found that Let's Encrypt delivers false "403" responses when trying to create a certificate, although the web server delivers the token with a 200 OK code, the token can be retrieved by a browser, DNS is set correctly and propagated all through the internet. Nevertheless for one customer it was impossible to create a Let's Encrypt certificate. We always got the "403" response and the notice, that the token does not match the challenge.

This error message is wrong. The true reason for the failure was the e-mail address that was used as the notification e-mail address. It's structure was
xxxxx.yyyyy@gmail.com
We do not know why the specific e-mail address of the customer has caused Let's Encrypt to deny validation of the certificate request and to respond with a "Status: 403", but when we used a different e-mail address as the notification address upon certificate creation, the certificate could be created without any issues.
 
Thank you Peter.
I could not reproduce the problem: I used xxxxx.ayyyyy@gmail.com address - the certificate was issued. Maybe something else provoked an error, but when using a new email, a registration was created anew and the problem got rid of itself? Although it sounds weird. Maybe there were some other features? What version of LE, Plesk, OS?
 
I've tested this half a day long. I know it's weird, because the error message does not refer to the mail address, but rather a typical inaccessibility issue of the token file. But that was surely accessible. I had tested this through different subscriptions, different domains and subdomains and all have worked but the one when that specific mail address was used. The mail address however is a normal gmail mail address. I cannot imagine why this is happening either, but wanted to report it here, because someone else might run into a similar weird issue with it.
 
I found that this very strange error might be linked to the new ECDSA option for Let's Encrypt certificates in Plesk. It seems that the software cannot handle this certificate type fully correctly.

Do not use
Code: 
[ext-letsencrypt]
key-algorithm = ECDSA
ecdsa-curve-name = prime256v1 ; can be omitted
in panel.ini for the time being.
 
You must log in or register to reply here.

Similar threads

L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
2K
Leta
L
H
Resolved Problem with install Let's Encrypt SSL/TLS certificate
Replies
6
Views
2K
HungLuu
H
Bitpalast
Resolved SSL create and renew errors on random domains / possibly a Let's Encrypt issue, but maybe only in combination with Plesk
Replies
11
Views
2K
Change Maker
C
D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
3K
Daiv
D
carlsson
Issue Mail on Plesk, web on other provider, how do I create a correct SSL?
Replies
2
Views
879
carlsson
carlsson
Back
Top