search

plesk / letsencrypt-plesk

Let’s Encrypt extension for Plesk gives all Plesk users the power to get a free Let’s Encrypt certificate with just a couple of clicks.
https://www.plesk.com/extensions/letsencrypt/
180 stars 25 forks source link

504 errors, #176

Closed ianrifkin closed 7 years ago

ianrifkin commented 7 years ago

I've had letsencrypt plesk setup and working for 50+ domains successfully including renewals. On May 19th my servers cron emailed me a bunch of renewal failures that looked like:

Status: 504.
[2017-05-20 00:02:05] ERR [extension/letsencrypt] Cannot renew certificate on domain [domain.com] with error: Could not obtain directory: Invalid response: <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
An error occurred while processing your request.<p>
Reference&#32;&#35;97&#46;61f01202&#46;1495231325&#46;a6a9d7c
</BODY></HTML>

Going to the Plesk interface and manually clicking to renew isn't helping. There I get the vague message:

Error: Let's Encrypt SSL certificate installation failed: Challenge marked as invalid. Details: Could not connect to [domain.com]

I'm not sure what it's trying to connect to specifically (what path?) and from where (my server or a central server?) -- is it getting an error or just not reaching the server at all? More importantly, what's changed since the last time these were renewed.

It's not every single domain on my server as I was able to just renew one of them, but most (there are 50 that) are expiring.

I saw an issue posted about disabling IPV6 so I just tried that but still get the error. I'm not sure if the problem is on my end or not so any guidance would be much appreciated!

ianrifkin commented 7 years ago

Actually I was confused what was meant by disabling IPv6. This was in fact my problem. Sorry!

If anyone else is confused and stumbles upon this, here's the deal: I think something changed with letsencrypt to try an ipv6 address first if it there is a AAAA record in DNS. You can check this by going to something like http://ipv6-test.com/validate.php and put in your URL.

If it doesn't show a IPV6 address (AAAA DNS entry) then this isn't your problem. You can also 'dig' for this.

If it shows an IPv6 address and it says it works then this also isn't your problem.

If it shows an IPv6 address and says it does not work, this is your problem. You either need to make sure your IPv6 is setup to actually work or you can edit your DNS entry and remove the AAAA ipv6 record (then wait for the DNS change to propagate).

Sorry for wasting another issue ticket on this!