Applicable to:
- Plesk for Linux
Symptoms
- Unable to issue SSL certificate for any domain in Plesk with the error:
PLESK_ERROR: Error: Let's Encrypt SSL certificate installation failed:
or
Could not obtain directory: cURL error 7: Failed to connect to 2a02:26f0:f6:1ad::3d5: Network is unreachable (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)PLESK_ERROR: Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.
The authorization token is not available at http://www.example.com/.well-known/acme-challenge/d5HY-VkjaK2F588hOy6Ihy-fmCTm7zHic4eddiwEypU.
To resolve the issue, make it is possible to download the token file via the above URL.
See the related Knowledge Base article for details.
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/XbYK38LcHTbeIy2WiUABURH0DRaRPVq4BKU1CGIQdes.
Details:
Type: urn:acme:error:unauthorized
Status: 403
Detail: Invalid response from http://example.com/.well-known/acme-challenge/d5HY-VkjaK2F588hOy6Ihy-fmCTm7zHic4eddiwEypU - Output of the following command is empty:
# lsmod | grep v6
- IPv6 address is assigned to network interface:
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 2001:db8:f61:a1ff:0:0:0:80 brd ff:ff:ff:ff:ff:ff
inet 203.0.113.2/24 brd 203.0.113.255 scope global eth0
valid_lft forever preferred_lft forever - curl request via IPv4 executes successfully:
# curl -v example.com
* About to connect() to example.com port 80 (#0)
* Trying 203.0.113.2... connected
* Connected to example.com (203.0.113.2) port 80 (#0)
> GET / HTTP/1.1
> Host: example.com
> Accept: */*
< HTTP/1.1 200 OK - curl request via IPv6 fails:
# curl -6 -v example.com
* About to connect() to example.com port 80 (#0)
* Trying 2001:db8:f61:a1ff:0:0:0:80... Connection timed out
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host
Cause
IPv6 kernel module is not loaded. Therefore Let's Encrypt can not validate domains, because IPv6 is preferred protocol.
Resolution
The solution has three options:
- completely remove IPv6 addresses from the network interfaces in order to perform token validation through IPv4 only.
- properly configure IPv6.
- remove AAAA DNS record, ensure that DNS modifications propagated globally and install the certificate.
Comments
0 comments
Please sign in to leave a comment.