Plesk Let's Encrypt Certificate Not Working? Fix SSL Errors on Nginx & Apache

Priya

Content Writer & Researcher

Last Updated: 4 June 2026

Plesk Let's Encrypt Certificate Not Working? Fix SSL Errors on Nginx & Apache

🖥️

Tired of Let's Encrypt SSL Failures Breaking Your Plesk Sites?

Expired certificates and failed renewals cost you client trust and SEO rankings. CloudHouse manages Let's Encrypt renewals, nginx SSL config, and certificate lifecycle across your entire Plesk fleet — proactively, before things break.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

You click "Get it free" in Plesk's Let's Encrypt extension, wait for the spinner — and get an error. Or worse: the certificate issues successfully but nginx still serves the old expired cert and the browser shows a red padlock. In Plesk, Let's Encrypt failures fall into a short list of root causes: the ACME HTTP-01 challenge cannot reach the token file, nginx has a stale or missing certificate reference, the hosting type is misconfigured, or a recent Plesk upgrade left behind an orphaned cert entry.

This guide covers every common failure mode, with the exact CLI commands and Plesk UI paths to resolve each one.

💡 None of these worked? Skip the guesswork.

Get Expert Help →

Step 1: Read the Real Error Before Clicking "Retry"

The Plesk UI often shows a one-line error that truncates the actual Let's Encrypt response. The full ACME error is always in the Plesk mail log.

1Find the detailed error in the Plesk log

grep -i "letsencrypt\|acme\|certificate" /var/log/plesk/panel.log | tail -30

Common error strings and what they mean:

Authorization token can not be found — The ACME HTTP-01 challenge file is unreachable (firewall, redirect, or webroot mismatch)
SSLCertificateFile: file does not exist or is empty — nginx/Apache config references a cert path that no longer exists
The domain's DNS A/AAAA record does not point to the server — DNS propagation lag or wrong IP in the zone
too many certificates already issued — Let's Encrypt rate limit (5 certs per domain per week)
nginx is not installed or is disabled — Plesk requires nginx for forwarding-type hosting SSL

2Test the ACME challenge URL manually

TOKEN="testtoken123"
mkdir -p /var/www/vhosts/yourdomain.com/httpdocs/.well-known/acme-challenge/
echo "test" > /var/www/vhosts/yourdomain.com/httpdocs/.well-known/acme-challenge/$TOKEN
curl -v "http://yourdomain.com/.well-known/acme-challenge/$TOKEN"

If curl returns a 301 redirect to HTTPS, the challenge will fail — Let's Encrypt follows redirects but many misconfigured Plesk setups redirect all HTTP to HTTPS before serving the token.

1Remove the blanket HTTP-to-HTTPS redirect before issuing

In Plesk, go to Websites & Domains → yourdomain.com → Hosting Settings and temporarily uncheck Permanent SEO-safe 301 redirect from HTTP to HTTPS. Issue the certificate, then re-enable the redirect.

Alternatively, add an ACME challenge exception to your nginx vhost configuration:

location /.well-known/acme-challenge/ {
    root /var/www/vhosts/yourdomain.com/httpdocs;
    try_files $uri =404;
    allow all;
}

Place this block before the redirect rule and reload nginx: nginx -t && systemctl reload nginx

2Open port 80 inbound on the firewall

Let's Encrypt always uses port 80 for HTTP-01 validation, even if your site runs on 443 only. Check Plesk Firewall or the OS firewall:

# iptables / firewalld
firewall-cmd --list-ports | grep 80
# If missing:
firewall-cmd --permanent --add-port=80/tcp && firewall-cmd --reload

3Fix ACME webroot path mismatch

Plesk writes challenge tokens to the domain's document root. If the domain uses a custom document root (e.g., httpdocs/public), the Let's Encrypt extension may write to the wrong path. In Hosting Settings, verify the document root and ensure it matches where nginx serves files for the bare domain.

1Identify which cert path is missing

nginx -t 2>&1 | grep -i "does not exist\|no such file"
# or for Apache:
apachectl configtest 2>&1 | grep -i "SSLCertificateFile\|does not exist"

Note the full file path from the error output.

2Replace the missing cert with Plesk's default self-signed certificate temporarily

CERT_DIR="/etc/nginx/plesk.conf.d/vhosts"
MISSING_CERT="/path/from/error"

# Copy the default Plesk cert as a placeholder so nginx can start
cp /usr/local/psa/var/certificates/scf* "$MISSING_CERT" 2>/dev/null ||   cp /etc/plesk/default-ssl/default-ssl.pem "$MISSING_CERT"

nginx -t && systemctl restart nginx

Once nginx starts, you can reissue the correct Let's Encrypt certificate via Plesk.

3Reconfigure all vhosts to remove orphaned references

/usr/local/psa/admin/sbin/httpdmng --reconfigure-all
systemctl restart nginx
systemctl restart httpd  # or apache2

This regenerates all nginx and Apache vhost config files from Plesk's database, removing any stale certificate references.

1Check which certificate nginx is actually loading

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null   | openssl x509 -noout -dates -subject

Compare the subject CN and notAfter date against what Plesk shows in SSL/TLS Certificates.

2Set the correct default certificate in Plesk

Go to Tools & Settings → SSL/TLS Certificates (server level). If no default certificate is set, nginx uses the first cert it finds — which may not be yours. Select your Let's Encrypt cert and click Set Default. Restart nginx.

3Verify the vhost config references the right cert

grep -r "ssl_certificate " /etc/nginx/plesk.conf.d/vhosts/ | grep yourdomain

The path should point to the renewed Let's Encrypt cert, typically at /etc/letsencrypt/live/yourdomain.com/fullchain.pem or Plesk's cert store at /usr/local/psa/var/certificates/.

1Check and change the hosting type

Go to Websites & Domains → yourdomain.com → Hosting Settings. If the hosting type is set to "Forwarding", either:

Switch to "Website" hosting type temporarily, issue the cert, then switch back
Or enable nginx server-wide via Tools & Settings → Updates and reinstalling the nginx component

2Use DNS-01 challenge as an alternative

If you cannot expose port 80 (e.g., internal server or strict firewall), install the Let's Encrypt DNS validation extension in Plesk and use DNS-01 challenge. This validates ownership via a TXT record instead of an HTTP file — no port 80 required.

# Via Plesk CLI for DNS-01
/usr/local/psa/bin/extension --exec letsencrypt cli.php   --domains yourdomain.com,www.yourdomain.com   --email admin@yourdomain.com   --challenge dns-01

1Confirm nginx/Apache config is valid

nginx -t
apachectl configtest

2Verify the correct cert is now served

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null   | openssl x509 -noout -dates -subject -issuer | grep -E "CN|notAfter|Issuer"

The Issuer should show Let's Encrypt and notAfter should be ~90 days in the future.

3Check auto-renewal is scheduled

grep letsencrypt /etc/cron.d/* /var/spool/cron/root 2>/dev/null

Plesk's Let's Encrypt extension schedules auto-renewal via cron. If no cron entry exists, re-enable it in the extension settings under Domains → SSL/TLS → Let's Encrypt → Auto-renew.

Let's Encrypt failures in Plesk almost always trace back to one of five causes: ACME challenge blocked by a redirect, missing cert file crashing nginx, wrong default cert in the server block, incompatible hosting type, or a post-upgrade orphaned config. Work through the diagnostic steps above in order and you'll resolve the issue without needing to raise a support ticket. If you want Let's Encrypt auto-renewal managed proactively across multiple Plesk servers — with alerts before expiry rather than after — CloudHouse's managed server service handles certificate lifecycle as part of the standard SLA.

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

Auto-renewal fails most often because port 80 is blocked by a firewall change, a blanket HTTP-to-HTTPS redirect was added after the cert was issued, or the domain's DNS no longer points to the server. Check /var/log/plesk/panel.log for the exact ACME error, verify port 80 is open, and temporarily disable SEO redirects before the next renewal attempt.

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...