When nginx is used with custom (rewrite) rules in Plesk, the rules could hinder the Let’s Encrypt authority to fetch the token file, which is automatically provided by Plesk.
Detailed message:
Error: Could not issue a Let’s Encrypt SSL/TLS certificate for x.
The authorization token is not available at http://x/.well-known/acme-challenge/some_long_id.
To resolve the issue, make it is possible to download the token file via the above URL.
See the related Knowledge Base article for details.
To fix this kind of error, you’ll have to add another rule. As example:
location ~ /.well-known {
}
# your rewrite rules
location ~ / {
#some rewrite rules
}
The important thing is the .well-known directive. The authority expects a token to be present in this directory. The approach of Plesk is quite simple, it creates such a directory and stores the token file in it. An empty location rule forces nginx to look after this file in the directories specified by the root directive (this directive is set by Plesk automatically to the vhost directory of the web space).
This approach makes it possible to automatically renew the certificates. By contrast, the Plesk wiki suggests to temporarily remove all rules and manually renew the certificates, which simply is too much work.