SSL certificate issues in Plesk fall into two categories: certificates that fail to install initially, and Let’s Encrypt certificates that fail to auto-renew. Both are common, and both have a defined set of causes. This guide covers the most frequent errors — from DNS misconfigurations and firewall blocks to private key mismatches and mixed content warnings — and how to resolve each one methodically.
Let’s Encrypt Installation Fails
The most common reason a Let’s Encrypt certificate fails to issue is that the domain’s DNS has not yet propagated to point at the server, or a firewall rule is blocking port 80. Let’s Encrypt uses the ACME HTTP-01 challenge to verify domain ownership: it makes an HTTP request on port 80 to a temporary file under /.well-known/acme-challenge/ on your domain. If that request cannot reach your server, the challenge fails and no certificate is issued.
Work through the following checklist before attempting to re-issue:
- Confirm the domain’s A record points to this server’s IP address. Use
dig yourdomain.com A +shortor an online DNS lookup tool. If the IP returned does not match the server, the certificate cannot be issued until DNS propagates — this can take up to 48 hours with some registrars, though typically it is much faster. - Confirm port 80 is open in the server firewall. In Plesk, go to Tools & Settings → Firewall and verify that incoming TCP traffic on port 80 is permitted. If you are using an external firewall or a cloud provider’s security group, check there too.
- Check for .htaccess redirects that send HTTP traffic to HTTPS before the ACME challenge completes. If your
.htaccessfile contains a blanket redirect from HTTP to HTTPS, Let’s Encrypt’s HTTP challenge request will be redirected and may fail. Temporarily remove or comment out the redirect rule, re-issue the certificate, then restore the redirect once the certificate is in place. - Re-issue the certificate in Plesk. Navigate to Websites & Domains → your domain → SSL/TLS Certificates → Let’s Encrypt, then click the re-issue or install button. Plesk will attempt the ACME challenge again and report any error in the interface.
If the error message references a rate limit, note that Let’s Encrypt enforces a limit of five failed validation attempts per hour per domain. If you have repeatedly attempted and failed, wait at least an hour before trying again.
Let’s Encrypt Renewal Fails
Let’s Encrypt certificates are valid for 90 days. Plesk handles automatic renewal in the background and will send an email notification if renewal fails. The renewal process uses the same ACME challenge as initial issuance, so the causes of failure are similar.
Common causes of renewal failure include:
- The domain’s DNS has changed and no longer points to this server — for example after a migration or a nameserver update.
- Port 80 or port 443 has been blocked by a firewall rule change.
- The domain has been removed from Plesk but the renewal job is still associated with a certificate on record.
To resolve: address the underlying DNS or firewall issue first, then manually trigger renewal in Plesk. Go to Websites & Domains → your domain → SSL/TLS Certificates, select the certificate, and click Renew. You can also check the Let’s Encrypt renewal log on the server at /var/log/plesk/panel.log — search for letsencrypt entries to find the specific error message returned by the ACME server.
Custom Certificate Install Error: Private Key Mismatch
When installing a certificate obtained from a commercial certificate authority, a common error is a message stating that the certificate does not match the private key. This means the certificate file you are pasting was not issued against the CSR (Certificate Signing Request) that was generated on this server — or the private key has been lost or overwritten.
To resolve this:
- In Plesk, go to Websites & Domains → your domain → SSL/TLS Certificates → Add SSL/TLS Certificate.
- Generate a new CSR directly in Plesk by filling in the certificate details and clicking Request. Plesk generates a new private key and CSR simultaneously and stores the private key.
- Copy the CSR text and submit it to your certificate authority to obtain a new certificate.
- Once the CA returns the signed certificate, paste it into the certificate field in Plesk alongside any intermediate/chain certificate provided.
Never reuse a CSR or private key from a different server. Each CSR and its corresponding private key must be generated together on the same server where the certificate will be installed. Importing a private key generated elsewhere is possible but increases the risk of key exposure during transit.
Certificate Installed But Browser Still Shows Not Secure
If Plesk shows the certificate as installed and valid but the browser still displays a “Not Secure” warning or a padlock with an error, the most likely cause is mixed content. This occurs when the page itself loads over HTTPS, but one or more resources — images, scripts, stylesheets, or iframes — are still referenced with http:// URLs. The browser blocks or flags these insecure resources even though the page certificate is valid.
To diagnose, open the browser’s developer tools, go to the Console tab, and look for mixed content warnings. They will identify the specific URLs causing the problem.
For WordPress sites, the most straightforward fix is to install the Really Simple SSL plugin, which handles the site URL update and replaces insecure references automatically. Alternatively, update the WordPress Address and Site Address to HTTPS under Settings → General, then run a database search-replace to update stored URLs:
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --skip-columns=guid --allow-root
Run this via WP-CLI on the server. Always take a database backup before running a search-replace.
Hostname Certificate for the Plesk Panel Itself
The Plesk control panel is accessed on port 8443 and uses a separate certificate assigned to the server hostname — not to any individual domain. If you see a “Your connection is not private” warning when logging in to Plesk, this certificate is either self-signed, expired, or missing.
To assign a valid certificate to the Plesk panel:
- Go to Tools & Settings → SSL/TLS Certificates.
- If the server hostname resolves to this server’s IP address, you can issue a Let’s Encrypt certificate for it directly from this screen.
- Once issued, select the certificate and click Secure Plesk (or assign it to the mail server and panel as appropriate).
Note that if your server hostname is a subdomain managed through Plesk, the domain subscription must exist in Plesk and the hostname’s DNS must resolve correctly before Let’s Encrypt can issue a certificate for it.
Checking Certificate Expiry
To check when a certificate expires within Plesk, go to Websites & Domains → your domain → SSL/TLS Certificates. The expiry date is displayed alongside the certificate details.
To check expiry from the command line without logging in to Plesk, run:
openssl s_client -connect yourdomain.com:443 < /dev/null 2>/dev/null | openssl x509 -noout -dates
This connects to the live certificate on port 443 and outputs the notBefore and notAfter dates. It is useful for verifying that the certificate Plesk believes is installed is actually the one being served — occasionally a server restart is needed after a certificate change for the new certificate to be picked up by Apache or Nginx.
If you manage multiple domains, it is worth setting a calendar reminder or using a monitoring tool to alert you before certificates expire. Plesk’s own notification emails are sent when renewal fails, not in advance of expiry, so proactive monitoring avoids last-minute failures on production sites.
Related articles: Plesk Troubleshooting Guide
