Secure Sockets Layer (SSL) certificates are essential for modern website security, encrypting data transmissions and maintaining browser trust. Plesk includes a Let's Encrypt extension to automate the validation, issuance, and renewal of free Domain Validated (DV) SSL certificates. However, configuration changes, DNS propagation errors, or local firewall settings can cause SSL auto-renewals to fail, resulting in browser security warnings when the certificate expires.
For systems administrators, troubleshooting SSL renewal failures requires identifying the validation method used (typically HTTP-01 or DNS-01) and checking domain configurations. In this guide, we will analyze Let's Encrypt validation methods, check Plesk log files, and walk through the SSH commands needed to resolve validation errors and force SSL renewals.
1. Understanding Let's Encrypt Validation Methods
Let's Encrypt requires domain ownership validation before issuing or renewing certificates. This validation is typically completed using one of two methods:
- HTTP-01 Challenge: Let's Encrypt's servers attempt to fetch a temporary challenge file from your server over HTTP at a specific path:
http://yourdomain.com/.well-known/acme-challenge/file. If the file cannot be accessed (e.g., due to redirection rules or permission errors), validation will fail. - DNS-01 Challenge: Used for wildcard certificates. It requires creating a temporary TXT record (
_acme-challenge.yourdomain.com) in your domain's DNS zone. If Plesk cannot write this record to the authoritative nameservers, validation will fail.
2. Step-by-Step Diagnostics via SSH
To troubleshoot Let's Encrypt renewal issues in Plesk, log into your server via SSH as the root user. Run these diagnostic commands to check challenges, verify logs, and force renewals.
Step 2.1: Check the Let's Encrypt Log Files
When an SSL renewal fails, Plesk logs the error details in its system logs. Review these logs to identify the cause of the validation failure:
tail -n 100 /var/log/plesk/panel.log
Look for log entries containing "acme" or "Let's Encrypt" to find the specific error messages returned by Let's Encrypt's servers during the validation check.
Step 2.2: Troubleshoot HTTP-01 Challenge Access
If the HTTP-01 challenge fails, verify that the challenge directory is accessible over HTTP. Create a temporary test file in the challenge folder:
mkdir -p /var/www/vhosts/domain.com/httpdocs/.well-known/acme-challenge/
echo "test-challenge-access" > /var/www/vhosts/domain.com/httpdocs/.well-known/acme-challenge/test.txt
Attempt to fetch this file using a browser or command-line curl: curl -i http://domain.com/.well-known/acme-challenge/test.txt. If the request returns a 403 Forbidden, 404 Not Found, or redirects to a secure login page, check your rewrite configurations (such as .htaccess rules) and directory permissions, and modify them to allow access to the .well-known path.
Step 2.3: Verify DNS-01 Wildcard Records
For wildcard certificates utilizing DNS-01 validation, check that the authoritative nameservers resolve the TXT challenge records correctly. Run the following dig command to check current TXT records for your domain:
dig TXT _acme-challenge.domain.com
If the query does not return the expected challenge string, verify that Plesk is configured as the authoritative DNS server for the domain, or update the TXT record manually at your external DNS provider if you use third-party DNS.
Step 2.4: Force SSL Renewal via Plesk CLI
Once you resolve configuration or DNS issues, use Plesk's CLI utilities to force the SSL certificate renewal:
# Force Let's Encrypt SSL renewal for a specific domain
plesk bin extension --exec letsencrypt -d domain.com
This command runs the Let's Encrypt validation script, issues the certificate, and installs it in your web server configurations, securing your site.
3. Let's Encrypt Failure Analysis
| Let's Encrypt Error | Common Root Cause | Recommended Action |
|---|---|---|
| 403 Forbidden on acme-challenge | Incorrect directory permissions or security rule blocks | Set folder permissions to 755; disable redirect rules for .well-known directory |
| 404 Not Found on challenge file | Nginx/Apache routing requests to incorrect document root | Verify domain's document root in Plesk configurations |
| DNS record validation failed | TXT records not propagating to authoritative nameservers | Verify nameserver delegation; sync DNS zone records |
Frequently Asked Questions (FAQ)
Why do Let's Encrypt SSL certificates require renewal every 90 days?
Let's Encrypt limits certificate lifetimes to 90 days to improve security. Shorter lifetimes limit the damage from compromised keys and encourage automation. The renewal process is handled automatically by the Plesk panels, so you do not need to renew them manually.
How does cPanel's AutoSSL compare to Plesk's Let's Encrypt extension?
Both serve the same function, automating SSL validation and installation. AutoSSL is a built-in cPanel feature that can use different providers, while Plesk uses a dedicated Let's Encrypt extension to handle SSL issuance.
Can a firewall block Let's Encrypt validation checks?
Yes. Let's Encrypt's validation servers connect to your site over HTTP/HTTPS (port 80/443) to check the challenge files. If your server firewall or CDN blocks inbound traffic on these ports, validation checks will fail.