SSL auto-renewal is one of those things that should be invisible — until it isn't. When Plesk's Let's Encrypt renewal silently fails, your clients see browser security warnings and your phone starts ringing. This guide covers every failure mode: HTTP-01 challenge failures, DNS-01 mismatches, rate limits, and the Nginx redirect edge cases that catch even experienced admins off guard.
💡 None of these worked? Skip the guesswork.
Get Expert Help →Step 1: Find the Renewal Error in Plesk Logs
Don't guess. Find the exact error first. Plesk logs Let's Encrypt renewal activity in two places:
tail -100 /var/log/plesk/panel.log | grep -i "letsencrypt\|acme\|ssl"
cat /var/log/letsencrypt/letsencrypt.log | tail -200
Common error messages and what they mean:
The authorization token can not be found— HTTP-01 challenge file isn't reachableIncorrect TXT record found at _acme-challenge— DNS-01 challenge TXT record mismatchtoo many certificates already issued for exact set of domains— rate limit hitConnection refused/Timeout— port 80 or 443 is blocked
curl -I http://yourdomain.com/.well-known/acme-challenge/test
# Should return 404 (file not found is fine — a connection means the path is reachable)
# A connection refused means port 80 is firewalled
# Plesk Firewall — enable port 80
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
# Or via CSF (ConfigServer Firewall):
grep "^TCP_IN" /etc/csf/csf.conf # ensure 80,443 are listed
csf -r # reload firewall rules
4. Check document root: If your domain's physical path doesn't match what Plesk expects, the challenge file gets written to the wrong directory. Verify under Domains > Hosting Settings that Document Root matches the actual directory serving your site.
Step 3: Fix DNS-01 Challenge Failures (External DNS)
When you use an external DNS provider (Cloudflare, Route 53, etc.) instead of Plesk's internal DNS, Let's Encrypt uses the DNS-01 challenge. Plesk creates a TXT record at _acme-challenge.yourdomain.com, but if your external DNS doesn't have that record — or has a stale one — renewal fails.
1. Verify the TXT record is propagated:
dig TXT _acme-challenge.yourdomain.com +short @8.8.8.8
dig TXT _acme-challenge.yourdomain.com +short @1.1.1.1
If these return nothing or different values, the record isn't propagated or is wrong.
_acme-challenge TXT record. Start it and retry the certificate renewal.
3. Add the TXT record manually in your external DNS: If Plesk's DNS service is intentionally disabled and you use external DNS exclusively, add the record Plesk is trying to create directly in your DNS provider's dashboard. Look in /var/log/letsencrypt/letsencrypt.log for the exact token value Plesk is trying to verify.
4. Multiple nameservers with propagation lag: Let's Encrypt randomly picks a nameserver to verify against. If your external provider uses multiple nameservers and propagation is slow, the verification can hit a stale server. Wait 15 minutes after updating DNS records before retrying, or switch to HTTP-01 validation if possible.
Step 4: Fix the Rate Limit Error
Let's Encrypt enforces a limit of 5 certificates per domain per week (exact set of domains). If you've attempted renewal multiple times while debugging, you may have exhausted the limit.
1. Check your rate limit status: Visit https://crt.sh/?q=yourdomain.com and count certificates issued in the past 7 days.
2. Use the Let's Encrypt staging environment to test:
plesk ext letsencrypt --issue -domain yourdomain.com --staging
The staging environment has no rate limits and lets you verify your configuration is correct before attempting a real certificate.
crt.sh — once it's older than 7 days, you have capacity again.
4. Purchase a commercial certificate as a temporary measure: If you can't wait, install a short-term commercial certificate (even a free one from ZeroSSL via manual issuance) while the rate limit resets.
Step 5: Manually Trigger Renewal via Plesk CLI
After fixing the underlying issue, force an immediate renewal attempt rather than waiting for Plesk's scheduled task:
# Renew a specific domain
plesk ext letsencrypt --renew -domain yourdomain.com
# Renew all domains on the server with Let's Encrypt
plesk ext letsencrypt --renew-all
# Check renewal status for all domains
plesk ext letsencrypt --info
Monitor the output in real time and in the log file simultaneously:
tail -f /var/log/letsencrypt/letsencrypt.log
Step 6: Fix Certificate Assigned to Wrong Service (Mail/FTP)
Plesk allows assigning different SSL certificates to different services (website, mail, FTP, Webmail). If the Let's Encrypt certificate renewed successfully but your mail client is still showing an SSL warning, the old certificate is still assigned to the mail service.
Go to Mail > Mail Settings > your domain > SSL/TLS support and select the newly issued Let's Encrypt certificate. Repeat for FTP under FTP > FTP over SSL/TLS.
Step 7: Set Up Monitoring So You Never Miss a Renewal Failure
1. Enable Plesk renewal notifications: Go to Tools & Settings > Notifications. Enable SSL/TLS certificate expiration alerts and set the warning threshold to 30 days before expiry.
2. External certificate expiry monitoring: Add your domains to a free monitoring service (e.g., UptimeRobot's SSL monitor, or ssl-checker.io) to get alerts if a certificate expires regardless of whether Plesk's internal notifications fire.
3. Cron-based expiry check:
# Add to root crontab — checks expiry daily
0 9 * * * echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -checkend 604800 || echo "SSL expires within 7 days on yourdomain.com" | mail -s "SSL WARNING" admin@yourdomain.com
