Articles in this section

See more

Unable to issue Let's Encrypt certificate: cURL error 7: Failed to connect to

Avatar
Dinara Aspembitova
Updated
Follow

Applicable to:

  • Plesk for Linux

Symptoms

  • Unable to issue SSL certificate for any domain in Plesk with the error:

    PLESK_ERROR: Error: Let's Encrypt SSL certificate installation failed:
    Could not obtain directory: cURL error 7: Failed to connect to 2a02:26f0:f6:1ad::3d5: Network is unreachable (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

    or

    PLESK_ERROR: Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.

    The authorization token is not available at http://www.example.com/.well-known/acme-challenge/d5HY-VkjaK2F588hOy6Ihy-fmCTm7zHic4eddiwEypU.
    To resolve the issue, make it is possible to download the token file via the above URL.
    See the related Knowledge Base article for details.
    Details
    Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/XbYK38LcHTbeIy2WiUABURH0DRaRPVq4BKU1CGIQdes.
    Details:
    Type: urn:acme:error:unauthorized
    Status: 403
    Detail: Invalid response from http://example.com/.well-known/acme-challenge/d5HY-VkjaK2F588hOy6Ihy-fmCTm7zHic4eddiwEypU

  • Output of the following command is empty:

    # lsmod | grep v6

  • IPv6 address is assigned to network interface:

    # ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 2001:db8:f61:a1ff:0:0:0:80 brd ff:ff:ff:ff:ff:ff
    inet 203.0.113.2/24 brd 203.0.113.255 scope global eth0
    valid_lft forever preferred_lft forever

  • curl request via IPv4 executes successfully:

    # curl -v example.com
    * About to connect() to example.com port 80 (#0)
    * Trying 203.0.113.2... connected
    * Connected to example.com (203.0.113.2) port 80 (#0)
    > GET / HTTP/1.1
    > Host: example.com
    > Accept: */*
    < HTTP/1.1 200 OK

  • curl request via IPv6 fails:

    # curl -6 -v example.com
    * About to connect() to example.com port 80 (#0)
    * Trying  2001:db8:f61:a1ff:0:0:0:80... Connection timed out
    * couldn't connect to host
    * Closing connection #0
    curl: (7) couldn't connect to host

 

Cause

IPv6 kernel module is not loaded. Therefore Let's Encrypt can not validate domains, because IPv6 is preferred protocol.

Resolution

The solution has three options:

  • completely remove IPv6 addresses from the network interfaces in order to perform token validation through IPv4 only.
  • properly configure IPv6.
  • remove AAAA DNS record, ensure that DNS modifications propagated globally and install the certificate.

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles