Resolving ACME errors when issuing an SSL certificate

When you switch on HTTPS for a virtual host, the BeAdmin control panel requests an SSL certificate from Let's Encrypt and adds it to the Nginx configuration. The request uses ACME — the public standard for automated certificate issuance.

To issue the certificate, Let's Encrypt has to confirm that you actually own the domain. Let's Encrypt sends a validation request to the domain from the public side — if DNS, Nginx, or the network ports are misconfigured, validation fails and the panel reports an error.

Enabling HTTPS

HTTPS is switched on with the «Use HTTPS (port 443)» toggle when you create or edit a virtual host — the panel requests the certificate right away. For details on the virtual host form, see Nginx. Working with virtual hosts; for how issuance is wired up and how to reissue manually, see Issuing an SSL certificate. This article is a reference for specific error messages.

If the certificate cannot be issued, the panel shows a detailed error. Specific messages and what to do about them are listed below.

Error messages

The panel shows the messages below when issuance fails. For each one: what happened on the Let's Encrypt side and what to fix.

No DNS records for the domain

Failed to issue SSL certificate: DNS records for the domain not found.

Let's Encrypt did not find any DNS records for the domain name — either the domain is not delegated to your provider's DNS servers, or no records have been added yet.

What to do:

1. Make sure the domain is delegated to the DNS servers of your registrar or provider.
2. Create an A or AAAA record pointing to the server's IP address. For details on configuring DNS, see Configure DNS records for the mail server (the section on the A record applies to any website).
3. Wait for the changes to propagate (usually a few minutes, sometimes up to an hour) and try issuing the certificate again.

Missing A or AAAA record

Failed to issue SSL certificate: A or AAAA DNS records for the domain not found.

The domain has some DNS records (for example, MX or TXT), but no A (IPv4) or AAAA (IPv6) record. Without them Let's Encrypt does not know which IP to reach the server at.

What to do:

1. Add an A record with your server's IP address, or an AAAA record if you use IPv6.
2. Wait for propagation and retry the issuance.

DNS pointing to another server

Failed to issue SSL certificate: DNS records point to another server.

An A or AAAA record exists, but it points to a server other than the one running BeAdmin. The Let's Encrypt request reached a different IP, and the ownership check failed.

What to do:

1. Compare the server IP shown in the panel with the domain's A record.
2. Correct the A record at your registrar or DNS provider. If the record is correct but was added recently, wait for propagation.
3. If you use a proxy (for example, Cloudflare), disable proxying for the duration of the issuance — in Cloudflare, switch the cloud from orange to grey.

Redirect loop during validation

Failed to issue SSL certificate: redirect loop when verifying domain ownership.

The server replies to Let's Encrypt with a chain of redirects that loops. Most often this happens when Nginx redirects HTTP to HTTPS but no HTTPS certificate exists yet — Let's Encrypt cannot complete the check over http://.

What to do:

1. Temporarily remove the forced HTTP-to-HTTPS redirect on the site or CMS side.
2. Wait for the certificate to be issued, then put the redirect back.
3. If the redirect comes from a CDN or external proxy, disable it during issuance.

Let's Encrypt rate limit exceeded

Too many SSL certificate requests.

Too many SSL certificate requests, next attempt available in {diff} ({human}).

Let's Encrypt limits the number of certificates per domain per week — the limit is shared across the domain and its subdomains. Most often this is hit after several issuance attempts in a row without fixing the underlying problem.

What to do:

1. Wait for the limit to reset. If a specific time is shown in the message, follow it; otherwise wait up to 7 days.
2. Before retrying, make sure DNS, port 80, and redirects are configured correctly — another failure restarts the timer.
3. If the site needs HTTPS urgently, temporarily use a certificate from a different certificate authority or switch the site to HTTP.

Port 80 closed or busy

Failed to issue SSL certificate: port 80 on the server is closed or used by another service.

Let's Encrypt confirms domain ownership over the HTTP-01 protocol: it sends a validation request to the server on port 80. If that port is blocked by a firewall, occupied by another process, or redirected, the check does not succeed.

What to do:

1. Open port 80 in the server firewall and at the hosting provider.
2. Make sure Nginx listens on port 80 — this is the default behaviour of BeAdmin.
3. If another service is running on port 80, free it up — Nginx needs the port for the duration of the issuance.

Validation timeout

Failed to issue SSL certificate: Let's Encrypt did not receive a response from the server within the allowed time.

The Let's Encrypt request reached the server, but the server did not reply within the allowed time — typical for an overloaded server, slow network, or external routing problem.

What to do:

1. Wait a few minutes and retry the issuance.
2. Check whether the server responds over HTTP from another machine — for example, with curl http://yourdomain.com/.well-known/acme-challenge/test.
3. If the problem persists, contact your hosting provider.

Invalid validation response

Failed to issue SSL certificate: the server returned an invalid response when verifying domain ownership.

The server replied to Let's Encrypt, but the response did not contain the expected content. Most often this happens when the virtual host intercepts requests to /.well-known/acme-challenge/ — for example, through WordPress, a CMS router, or a catch-all / location.

What to do:

1. Make sure the virtual host was created in BeAdmin through the standard form — the panel adds the required ACME location automatically.
2. If you added custom rules to the Nginx config, make sure they do not block /.well-known/acme-challenge/.
3. Disable any CMS security plugins that intercept unknown URLs.

CAA record blocking

Failed to issue SSL certificate: a CAA record on the domain forbids issuance via Let's Encrypt.

The domain has a CAA record that limits the list of certificate authorities allowed to issue certificates. If Let's Encrypt is not on that list, issuance is blocked at the DNS level.

What to do:

1. Check the domain's CAA records — for example, with dig +short CAA yourdomain.com.
2. Add a CAA record with letsencrypt.org, or remove the limiting records if you do not need them.
3. Wait for propagation and retry the issuance.

Other Let's Encrypt error

Failed to issue SSL certificate due to Let's Encrypt error.

Let's Encrypt returned an error that the panel does not yet have a dedicated handler for. The message shows generic text; the detailed description is available in the server logs.

What to do:

1. Open the BeAdmin log — the exact text of the error from Let's Encrypt helps identify the cause.
2. Compare the message with the current Let's Encrypt status — sometimes the failure is caused by CA unavailability rather than your server.
3. If you cannot resolve the problem, contact support and attach the text from the log.

See also

• Nginx. Working with virtual hosts
• Issuing an SSL certificate
• Configure DNS records for the mail server
• Let's Encrypt rate-limits documentation
• ACME protocol documentation (RFC 8555)