Applicable to:
- Plesk Onyx for Linux
Symptoms
-
Unable to install Let's Encrypt certificate either for a domain example.com in Domains > example.com > SSL/TLS Certificates or for securing Plesk in Tools & Settings > SSL/TLS Certificates > Let's Encrypt, with one of the following error messages:
PLESK_ERROR: Detail: Fetching http://example.com/.well-known/acme-challenge/do75fK79n_uF9JimlezVpQQQfmvHaOVd7T8cjZKVvWk: Timeout during connect (likely firewall problem)
PLESK_ERROR: Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
Details:
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/dlJ9iUsYRM51xlzLkS8KpRJYccRh1yKRUJEPgLMoRFc.
Details:
Type: urn:acme:error:connection
Status: 400
Details: Fetching https://example.com:8443/.well-known/acme-challenge/44DVtYx2WBKaujKCYO7tOxZ4nS2-m_-Ci5dLoQw0X34 Error getting validation data
PLESK_ERROR: An SSL / TLS certificate could not be issued for example.com
Details
The SSL / TLS Let's Encrypt certificate could not be issued for example.com . Authorization error for the domain.
Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxx.
Details:
Type: urn: ietf: params: acme: error: connection
Status: 400
Detail: Fetching http://example.com/.well-known/acme-challenge/DOgtM-HLdDLxfaGej39Fip168f6njHhwot47XuyGANo: Error getting validation data -
The domain
example.comresolves to the IP address of the Plesk server on IPv4 and/or IPv6:# dig +short example.com
203.0.113.2
# dig +short -t AAAA example.com
2001:db8:f61:a1ff:0:0:0:80 -
The domain example.com is hosted on the same Plesk server, and only IPv4 address is assigned to it in Domains > example.com > Web Hosting Access.
-
The following error might be shown when accessing http://example.com in the browser:
CONFIG_TEXT: This site can’t be reached
ERR_CONNECTION_TIMED_OUT
Cause
Port 80 and/or 443 is filtered by a firewall:
# nmap -p 80 example.com
...
PORT STATE SERVICE
80/tcp filtered http
# nmap -p 443 example.com
PORT STATE SERVICE
443/tcp filtered http
Resolution
Note: If domain example.com resolves to IPv4 and IPv6, HTTP and HTTPS traffic must be allowed to both networks.
- If the firewall is configured on the Plesk server, open the ports 80 and 443 for incoming connections as described in the article What ports need to be opened for all Plesk Services to work with a firewall
- If Plesk is installed on a public cloud service, follow the instructions to open ports 80 and 443: for Amazon EC2, for Amazon Lightsail, for Google Cloud, for Microsoft Azure, for Alibaba Cloud.
- If some intermediate firewall/router is configured between the Plesk server and an external network, ports 80 and 443 should be opened on it as well.
As alternative solution, when only IPv6 ports are blocked:
-
Go to Domains > example.com > Web Hosting Access and disable IPv6 address.
Note: If the IPv6 address is defined externally it can be removed on the registrar's side.
Additional Information
What ports need to be opened for all Plesk Services to work with a firewall
Comments
21 comments
I'm getting this error even though the port is showing as open and all other domains on the same machine can renew their certificate
Hello @Richard,
In this case, the most probable cause of such behavior is 301/302 redirect configured for this website.
Please, try this:
If 301 redirect is enabled:
Go to Domains > example.com > Hosting Settings and perform the following steps:
Set Preferred domain to none.
Uncheck the option Permanent SEO-safe 301 redirect from HTTP to HTTPS.
If 302 redirect is enabled:
Go to Domains > example.com > Hosting Settings and perform the following steps:
Turn off domain forwarding by changing Hosting type to Hosting.
In case this does not help, inspect website code and website configuration for hardcoded redirects.
301 and 302 redirects are off. I even tried creating a new subscription to ensure no extra code was creating errors with the redirect.
Hello @Ricard,
Please contact Plesk technical support for assistance:
https://support.plesk.com/hc/en-us/requests/new
What was the solution?
Got same problem. File under .well-known/acme-challenge/somerandomcharacters is being created and shows when visited in a browser.
@TomBob
Make sure that ports 80 and 443 are opened on both IPv4 and IPv6. Your domain may resolve to IPv6 even if IPv6 address is not assigned to it in Plesk, so please check it using, for example, hhttps://mxtoolbox.com/SuperTool.aspx
In case further help is required, do not hesitate to submit a request to support as per https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-
perfect pointer, thanks.
https://ipv6-test.com/validate.php showed indeed that ipv6 server is not avail.
After checking all the above very carefully again, it turned out that the ipv6 address on the external dns was indeed incorrect. For reasons unknown it had changed by two characters in the fourth group. :111: had changed into :10e:. Had slipped my sight when checking the ipv6 before.
But unfortunately this is very annoying to do every 2 months onto about 30 domains.
Are there any other ways to solve this problem?
Details
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching https://example.com/.well-known/acme-challenge/_1-IDoZ-sRTRSuLxZtjG_v0YZqWajvhTyAaU6IYCTog: Timeout during connect (likely firewall problem)
[root@localhost ~]# nmap -p 80 example.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-05 10:41 CDT
Nmap scan report for example.com (74.XXX.XXX.123)
Host is up (0.050s latency).
rDNS record for 74.XXX.XXX.123: srv01.example.com
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
[root@localhost ~]# nmap -p 443 example.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-05 10:41 CDT
Nmap scan report for example.com (74.XXX.XXX.123)
Host is up (0.053s latency).
rDNS record for 74.XXX.XXX.123: srv01.example.com
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
[root@localhost ~]# dig +short example.com
74.XXX.XXX.123
[root@localhost ~]# dig +short -t AAAA example.com
2607:XXXX:XXXX:XXXX::1231
Hello @Ven Bili,
Please also make sure that 80 and 443 ports are open for IPv6 too:
# nmap -6 -Pn -p80 example.com
# nmap -6 -Pn -p443 example.com
If the issue still remains, contact Plesk support for deeper investigation:
https://support.plesk.com/hc/en-us/requests/new
In case it helps anyone we've been getting this error periodically for a couple of months now, with the automatic renewals. What I found is that if I wait a while and renew the certificate manually in the Plesk GUI, it works. As in, no other changes made. Sometimes it takes a few tries. Note Let's Encrypt has a Failed Validation limit of 5 failures per account, per hostname, per hour (https://letsencrypt.org/docs/rate-limits/), so don't bother trying many times in a row.
@Steve Yates it is not expected behavior, should you face the issue again please contact our support
Like I said we've been having this problem sporadically. This past Friday (and again Saturday and Sunday nights) we had a server fail to renew seven certificates. I couldn't get them to renew today. Tonight I went through all seven sites one at a time and turned off "Permanent SEO-safe 301 redirect from HTTP to HTTPS" and on the few where it was set, "Preferred domain," and all seven renewed on the first try after that. Then of course turn them back on.
This server and the domains were created in February so it had been working fine for 9 months.
The strange thing is, I am pretty sure I saw at some point that the Plesk redirect specifically excludes /.well-known/acme-challenge, though I can't seem to find that setting again.
I also can't explain why simply retrying worked sometimes, per my post a few weeks ago. Maybe Let's Encrypt has some servers that follow redirects...
In case it helps anyone I opened a case and spent a month or so working with support. Their conclusion was, as others have posted:
1. To make renewal working correctly, please keep "SEO-safe 301 redirect from HTTP to HTTPS" disabled.
2. We do plan to exclude Let's Encrypt from being affected by SEO redirect in a future, we created internal request for that with ID EXTLETSENC-769.
Hello Steve Yates,
Thank you for the message, it may be useful for other Pleskians.
Even with "SEO-safe 301 redirect from HTTP to HTTPS" disabled I still got errors on some sites of my server,
this never happened before and the latest update of the server was today , dernière mise à jour à 2 Avril 2020 06:25"
(problem is not on all sites, maybe only on the ones having "SEO-safe 301 redirect from HTTP to HTTPS" enabled before the Plesk update, now they are all disabled but some refuse to renew...)
and when connecting from outside to the Let's encrypt callback I get
301 Moved Permanently answer, so obviously the disabled status seems to not be taken into account
BUT changing the setting "Preferred domain" to the one without WWW solves this problem, I can get access from another computer to the
.well-known/acme-challenge/TOKEN URL, however the renewing of the certificate still don't work even after disabling plesk-modsecurity to be sure it doesn't interfere…
Somebody knows the IP of the calling server, just to be sure another firewall rule doesn't block it ?
Hello Pascal Pochet
Let's Encrypt IPs aren't static, more information may be found here: https://community.letsencrypt.org/t/whitelisting-le-ip-addresses-ranges-in-firewall/45190/4
Also, make sure that there're no additional redirects, e.g defined in site code.
Feel free to submit a request to Plesk Support. Looks like the additional investigation is required.
Same here - renewing Let's encrypt certificates fail, als long as the SEO redirect is active. With error: Detail: Fetching https://.well-known/acme-challenge/ic5KPO7W7NB6UfR8c6BILgfCWuqub42K9VJXXXXXX: Timeout during connect (likely firewall problem)
The link is callable via Browsers (ip4/ip6) and displaying the correct Token.
As soon as the SEO friendly 301-redirect is disabled, renewing works.
What is the Status of EXTLETSENC-769 - after Lets Encrypt extension and Plesk Update to 18.0.28-2, this is still not fixed. I already hat issues with expired Certificates, because I cannot monitor hundreds of domains, aliases and subdomains. This should have high priority!
Hello peterbo
> What is the Status of EXTLETSENC-769
Thank you for the feedback.
This functionality improvement is yet to be implemented. The ETA will be available later.
I have same problem. But here is what I done, you can try:
- Fix follow this: https://support.plesk.com/hc/en-us/articles/115002122374-Unable-to-install-a-Let-s-Encrypt-certificate-for-a-domain-in-Plesk-for-Windows-404-Not-Found
- Uncheck: Include the "www" subdomain for the domain and each selected alias and Issue a wildcard SSL/TLS certificate in Let's Encrypt
- Verify correct Email in same Let's Encrypt
Hope this will help you.
the following worked for me: the folder .well-known is not created to the document root (Hosting settings), but to default folder of the domain.
I changed the document root to the default folder, and was able to find the text. This solution is only a workaround as I'll have to do the same when reussing the certificate
Hay más factores que provocan este error. y no tiene nada que ver con el Firewall ni con el IPV6.
1 - Si la web utiliza Wordpress y tiene activado el modo mantenimiento de Plesk, Let's encript no es capaz de renovar el certificado.
2 - Si el certificado ya ha caducado o es incorrecto (certificado por defecto Plesk) y tienes activada las opciones de redireccionamiento HTTPS , Let's encript tampoco es capaz de renovar el certificado.
Es necesario desactivar estas opciones y luego renovar el certificado.
Please sign in to leave a comment.