Unable to issue Let's Encrypt certificate in Plesk: "Timeout during connect (likely firewall problem)" OR "Error getting validation data"

Follow

Comments

9 comments

  • Avatar
    Richard Rudy

    I'm getting this error even though the port is showing as open and all other domains on the same machine can renew their certificate 

  • Avatar
    Ivan Postnikov

    Hello @Richard,

    In this case, the most probable cause of such behavior is 301/302 redirect configured for this website.

    Please, try this:

    If 301 redirect is enabled:

    Go to Domains > example.com > Hosting Settings and perform the following steps:

    • Set Preferred domain to none.

    • Uncheck the option Permanent SEO-safe 301 redirect from HTTP to HTTPS.

    • Issue a Let's Encrypt certificate in Domains > example.com > Let's Encrypt.

    If 302 redirect is enabled:

    Go to Domains > example.com > Hosting Settings and perform the following steps:

    •  Turn off domain forwarding by changing Hosting type to Hosting.

    • Issue a Let's Encrypt certificate in Domains > example.com > Let's Encrypt.

     In case this does not help, inspect website code and website configuration for hardcoded redirects.

  • Avatar
    Richard Rudy

    301 and 302 redirects are off. I even tried creating a new subscription to ensure no extra code was creating errors with the redirect.

  • Avatar
    Maxim Krasikov

    Hello @Ricard,

    Please contact Plesk technical support for assistance:
    https://support.plesk.com/hc/en-us/requests/new

  • Avatar
    TomBob

    What was the solution?

    Got same problem. File under .well-known/acme-challenge/somerandomcharacters is being created and shows when visited in a browser.

  • Avatar
    Alisa Kasyanova

    @TomBob
    Make sure that ports 80 and 443 are opened on both IPv4 and IPv6. Your domain may resolve to IPv6 even if IPv6 address is not assigned to it in Plesk, so please check it using, for example, hhttps://mxtoolbox.com/SuperTool.aspx
    In case further help is required, do not hesitate to submit a request to support as per https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-

  • Avatar
    TomBob

    perfect pointer, thanks.

    https://ipv6-test.com/validate.php showed indeed that ipv6 server is not avail.

    After checking all the above very carefully again, it turned out that the ipv6 address on the external dns was indeed incorrect. For reasons unknown it had changed by two characters in the fourth group. :111: had changed into :10e:. Had slipped my sight when checking the ipv6 before.

  • Avatar
    Ven Bili (Edited )
    The only way for me to solve this is to uncheck "Permanent SEO-safe 301 redirect from HTTP to HTTPS", to reissue certificate, to change _acme-challenge in TXT DNS, because Let's Encrypt changes it, and to turn on again SEO-301.
    But unfortunately this is very annoying to do every 2 months onto about 30 domains.
    Are there any other ways to solve this problem?
     
    My example:
     
    Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
    Details
    Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/jpWC5v8I9nYFohMvPKh90AOOwOrqSIxh6ikM1QZE0CU.
    Details:
    Type: urn:ietf:params:acme:error:connection
    Status: 400
    Detail: Fetching https://example.com/.well-known/acme-challenge/_1-IDoZ-sRTRSuLxZtjG_v0YZqWajvhTyAaU6IYCTog: Timeout during connect (likely firewall problem)

    [root@localhost ~]# nmap -p 80 example.com

    Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-05 10:41 CDT
    Nmap scan report for example.com (74.XXX.XXX.123)
    Host is up (0.050s latency).
    rDNS record for 74.XXX.XXX.123: srv01.example.com
    PORT STATE SERVICE
    80/tcp open http

    Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
    [root@localhost ~]# nmap -p 443 example.com

    Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-05 10:41 CDT
    Nmap scan report for example.com (74.XXX.XXX.123)
    Host is up (0.053s latency).
    rDNS record for 74.XXX.XXX.123: srv01.example.com
    PORT STATE SERVICE
    443/tcp open https

    Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
    [root@localhost ~]# dig +short example.com
    74.XXX.XXX.123
    [root@localhost ~]# dig +short -t AAAA example.com
    2607:XXXX:XXXX:XXXX::1231

  • Avatar
    Maxim Krasikov

    Hello @Ven Bili,

    Please also make sure that 80 and 443 ports are open for IPv6 too:
    # nmap -6 -Pn -p80 example.com
    # nmap -6 -Pn -p443 example.com

    If the issue still remains, contact Plesk support for deeper investigation:
    https://support.plesk.com/hc/en-us/requests/new

Please sign in to leave a comment.

Have more questions? Submit a request