Articles in this section

See more

Unable to issue Let's Encrypt certificate in Plesk: cURL error 7: Failed to connect to

Avatar
Alexandr Zubtsovsky
Updated
Follow

Applicable to:

  • Plesk for Linux

Symptoms

  • Unable to issue SSL certificate for any domain in Plesk with the error:

    PLESK_ERROR: Error: Let's Encrypt SSL certificate installation failed:
    Could not obtain directory: cURL error 7: Failed to connect to 2a02:26f0:f6:1ad::3d5: Network is unreachable (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

  • Output of lsmod command shows that IPv6 modules are not loaded:

    # lsmod | grep v6

  • IPv6 address is assigned to network interface:

    # ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 2001:db8:f61:a1ff:0:0:0:80 brd ff:ff:ff:ff:ff:ff
    inet 203.0.113.2/24 brd 203.0.113.255 scope global eth0
    valid_lft forever preferred_lft forever

  • curl request via IPv4 executes successfully:

    # curl -v example.com
    * About to connect() to example.com port 80 (#0)
    * Trying 203.0.113.2... connected
    * Connected to example.com (203.0.113.2) port 80 (#0)
    > GET / HTTP/1.1
    > Host: example.com
    > Accept: */*
    < HTTP/1.1 200 OK

  • curl request via IPv6 fails:

    # curl -6 -v example.com
    * About to connect() to example.com port 80 (#0)
    * Trying  2001:db8:f61:a1ff:0:0:0:80... Connection timed out
    * couldn't connect to host
    * Closing connection #0
    curl: (7) couldn't connect to host

Cause

IPv6 kernel module is not loaded. Therefore Let's Encrypt can not validate domains, because IPv6 is preferred protocol.

Resolution

There are three solutions:

  1. Completely remove IPv6 addresses from the network interfaces in order to perform token validation through IPv4 only. Open Plesk > Tools & Settings > IP addresses  and remove IPv6 address from the server. If IPv6 address is not present in list press Reread button.
  2. Remove AAAA DNS record (record for IPv6), ensure that DNS modifications propagated globally and install the certificate.
  3. Configure kernel to work with IPv6 (3rd party guide).

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles