If you see an automated notice like “Could not issue/renew Let’s Encrypt certificates …”, it means Plesk could not validate your domain and therefore could not issue or renew a free Let’s Encrypt SSL certificate.
This checklist is written for GARMTECH Web Hosting (Plesk). In most cases the fix is a DNS or validation issue (not a server outage).
1) Confirm the domain points to the correct server
Let’s Encrypt validation must reach the same hosting server where you request the certificate.
- If your domain uses GARMTECH nameservers (
ns1.garmtech.com, ns2.garmtech.com, ns3.garmtech.com): DNS is usually managed in Plesk (Plesk → Websites & Domains → DNS Settings).
- If your domain uses external nameservers (for example Cloudflare): any DNS changes you make in Plesk will not apply. You must check the A/AAAA/CNAME records at your external DNS provider.
What to check:
- The domain (and
www if you include it) resolves to your GARMTECH hosting server IP.
- If you recently changed nameservers or DNS records, allow time for DNS propagation (often minutes, sometimes up to 24 hours depending on TTL and caching).
2) Make sure HTTP validation is not blocked
By default, Plesk uses the Let’s Encrypt HTTP-01 challenge. The validation request must be able to reach your website on port 80.
- Temporarily disable “maintenance mode” plugins/pages that block unknown visitors.
- If you restrict access by IP, make sure the path
/.well-known/acme-challenge/ is not blocked.
- If you have aggressive redirects, ensure
http://your-domain.tld does not redirect to a different domain or a broken URL.
Cloudflare note: If your DNS is behind Cloudflare and the DNS record is “proxied”, certificate issuance in Plesk may fail depending on your Cloudflare SSL mode and redirect rules. For troubleshooting, temporarily switch the affected record to DNS only, issue the certificate in Plesk, then restore your preferred Cloudflare settings.
3) Check what exactly failed in Plesk
- Log in to My.GARMTECH and open your hosting service.
- Click Login to Plesk.
- In Plesk, open Websites & Domains → choose the affected domain.
- Open SSL/TLS Certificates (or Let’s Encrypt if shown as a separate item).
- Click Reissue / Renew and read the full error message.
The exact text matters. Common examples include:
- DNS problem (domain points elsewhere, wrong nameservers, old cached records).
- Timeout / connection refused (port 80 blocked by a firewall/network rule, or website is not reachable).
- Unauthorized / incorrect TXT (common with wildcard certificates or when external DNS is used).
4) Wildcard certificates require a DNS TXT record
If you request a wildcard certificate (for example *.example.com), Let’s Encrypt requires a DNS-01 challenge. Plesk will show a TXT record that must exist in the domain’s authoritative DNS:
_acme-challenge.example.com TXT "..."
- If your authoritative DNS is in Plesk (GARMTECH nameservers), add/confirm the TXT record in Plesk → DNS Settings.
- If your authoritative DNS is external, add the TXT record at the external DNS provider (adding it only in Plesk is not enough).
Tip: If Plesk reports an “incorrect TXT record”, remove old _acme-challenge records and keep only the one currently requested by Plesk.
5) Try a clean reissue (safe reset)
- In Plesk → SSL/TLS Certificates, select the existing Let’s Encrypt certificate and use Reissue.
- If you recently changed DNS, wait for the change to propagate and reissue again.
What to collect if the problem persists
When escalating the issue, the following details help identify the cause quickly:
- Domain name(s) included in the certificate (
example.com, www, wildcard, etc.).
- The exact error text from Plesk (copy/paste).
- Whether your domain uses GARMTECH nameservers or external DNS.
- Whether Cloudflare (or another reverse proxy/CDN) is enabled.
- When you last changed DNS (approximate time and time zone).
