Unable to issue Let's Encrypt certificate in Plesk: "Timeout during connect (likely firewall problem)" OR "Error getting validation data"

Follow

Comments

19 comments

  • Avatar
    Ivan Postnikov

    Hello @Richard,

    In this case, the most probable cause of such behavior is 301/302 redirect configured for this website.

    Please, try this:

    If 301 redirect is enabled:

    Go to Domains > example.com > Hosting Settings and perform the following steps:

    • Set Preferred domain to none.

    • Uncheck the option Permanent SEO-safe 301 redirect from HTTP to HTTPS.

    • Issue a Let's Encrypt certificate in Domains > example.com > Let's Encrypt.

    If 302 redirect is enabled:

    Go to Domains > example.com > Hosting Settings and perform the following steps:

    •  Turn off domain forwarding by changing Hosting type to Hosting.

    • Issue a Let's Encrypt certificate in Domains > example.com > Let's Encrypt.

     In case this does not help, inspect website code and website configuration for hardcoded redirects.

    2
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Pascal Pochet

    Let's Encrypt IPs aren't static, more information may be found here: https://community.letsencrypt.org/t/whitelisting-le-ip-addresses-ranges-in-firewall/45190/4

    Also, make sure that there're no additional redirects, e.g defined in site code.

    Feel free to submit a request to Plesk Support. Looks like the additional investigation is required.

    0
    Comment actions Permalink
  • Avatar
    Richard Rudy

    I'm getting this error even though the port is showing as open and all other domains on the same machine can renew their certificate 

    0
    Comment actions Permalink
  • Avatar
    Steve Yates

    Like I said we've been having this problem sporadically.  This past Friday (and again Saturday and Sunday nights) we had a server fail to renew seven certificates.  I couldn't get them to renew today.  Tonight I went through all seven sites one at a time and turned off "Permanent SEO-safe 301 redirect from HTTP to HTTPS" and on the few where it was set, "Preferred domain," and all seven renewed on the first try after that.  Then of course turn them back on.

    This server and the domains were created in February so it had been working fine for 9 months.

    The strange thing is, I am pretty sure I saw at some point that the Plesk redirect specifically excludes /.well-known/acme-challenge, though I can't seem to find that setting again.

    I also can't explain why simply retrying worked sometimes, per my post a few weeks ago.  Maybe Let's Encrypt has some servers that follow redirects...

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello peterbo

    > What is the Status of EXTLETSENC-769

    Thank you for the feedback.

    This functionality improvement is yet to be implemented. The ETA will be available later.

    0
    Comment actions Permalink
  • Avatar
    Ven Bili (Edited )
    The only way for me to solve this is to uncheck "Permanent SEO-safe 301 redirect from HTTP to HTTPS", to reissue certificate, to change _acme-challenge in TXT DNS, because Let's Encrypt changes it, and to turn on again SEO-301.
    But unfortunately this is very annoying to do every 2 months onto about 30 domains.
    Are there any other ways to solve this problem?
     
    My example:
     
    Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
    Details
    Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/jpWC5v8I9nYFohMvPKh90AOOwOrqSIxh6ikM1QZE0CU.
    Details:
    Type: urn:ietf:params:acme:error:connection
    Status: 400
    Detail: Fetching https://example.com/.well-known/acme-challenge/_1-IDoZ-sRTRSuLxZtjG_v0YZqWajvhTyAaU6IYCTog: Timeout during connect (likely firewall problem)

    [root@localhost ~]# nmap -p 80 example.com

    Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-05 10:41 CDT
    Nmap scan report for example.com (74.XXX.XXX.123)
    Host is up (0.050s latency).
    rDNS record for 74.XXX.XXX.123: srv01.example.com
    PORT STATE SERVICE
    80/tcp open http

    Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
    [root@localhost ~]# nmap -p 443 example.com

    Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-05 10:41 CDT
    Nmap scan report for example.com (74.XXX.XXX.123)
    Host is up (0.053s latency).
    rDNS record for 74.XXX.XXX.123: srv01.example.com
    PORT STATE SERVICE
    443/tcp open https

    Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
    [root@localhost ~]# dig +short example.com
    74.XXX.XXX.123
    [root@localhost ~]# dig +short -t AAAA example.com
    2607:XXXX:XXXX:XXXX::1231

    0
    Comment actions Permalink
  • Avatar
    TomBob

    What was the solution?

    Got same problem. File under .well-known/acme-challenge/somerandomcharacters is being created and shows when visited in a browser.

    0
    Comment actions Permalink
  • Avatar
    Steve Yates

    In case it helps anyone I opened a case and spent a month or so working with support.  Their conclusion was, as others have posted:

    1. To make renewal working correctly, please keep "SEO-safe 301 redirect from HTTP to HTTPS" disabled.
    2. We do plan to exclude Let's Encrypt from being affected by SEO redirect in a future, we created internal request for that with ID EXTLETSENC-769.

     

    0
    Comment actions Permalink
  • Avatar
    Richard Rudy

    301 and 302 redirects are off. I even tried creating a new subscription to ensure no extra code was creating errors with the redirect.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Steve Yates,

    Thank you for the message, it may be useful for other Pleskians.

    0
    Comment actions Permalink
  • Avatar
    Lev Iurev

    @Steve Yates it is not expected behavior, should you face the issue again please contact our support

    0
    Comment actions Permalink
  • Avatar
    Alisa Kasyanova

    @TomBob
    Make sure that ports 80 and 443 are opened on both IPv4 and IPv6. Your domain may resolve to IPv6 even if IPv6 address is not assigned to it in Plesk, so please check it using, for example, hhttps://mxtoolbox.com/SuperTool.aspx
    In case further help is required, do not hesitate to submit a request to support as per https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-

    0
    Comment actions Permalink
  • Avatar
    Pascal Pochet (Edited )

    Even with "SEO-safe 301 redirect from HTTP to HTTPS" disabled I still got errors on some sites of my server,

    this never happened before and the latest update of the server was today  , dernière mise à jour à 2 Avril 2020 06:25"

     

    (problem is not on all sites, maybe only on the ones having "SEO-safe 301 redirect from HTTP to HTTPS" enabled before the Plesk update, now they are all disabled but some refuse to renew...)

    and when connecting from outside to the Let's encrypt callback I get

    301 Moved Permanently answer, so obviously the disabled status seems to not be taken into account

    BUT changing the setting "Preferred domain" to the one without WWW solves this problem, I can get access from another computer to the

    .well-known/acme-challenge/TOKEN URL, however the renewing of the certificate still don't work even after disabling plesk-modsecurity to be sure it doesn't interfere…

    Somebody knows the IP of the calling server, just to be sure another firewall rule doesn't block it ?

     

    0
    Comment actions Permalink
  • Avatar
    Lê Văn Hiếu

    I have same problem. But here is what I done, you can try:

    - Fix follow this: https://support.plesk.com/hc/en-us/articles/115002122374-Unable-to-install-a-Let-s-Encrypt-certificate-for-a-domain-in-Plesk-for-Windows-404-Not-Found

    - Uncheck: Include the "www" subdomain for the domain and each selected alias and Issue a wildcard SSL/TLS certificate in Let's Encrypt 

    - Verify correct Email in same Let's Encrypt 

    Hope this will help you.

    0
    Comment actions Permalink
  • Avatar
    TomBob

    perfect pointer, thanks.

    https://ipv6-test.com/validate.php showed indeed that ipv6 server is not avail.

    After checking all the above very carefully again, it turned out that the ipv6 address on the external dns was indeed incorrect. For reasons unknown it had changed by two characters in the fourth group. :111: had changed into :10e:. Had slipped my sight when checking the ipv6 before.

    0
    Comment actions Permalink
  • Avatar
    Maxim Krasikov

    Hello @Ven Bili,

    Please also make sure that 80 and 443 ports are open for IPv6 too:
    # nmap -6 -Pn -p80 example.com
    # nmap -6 -Pn -p443 example.com

    If the issue still remains, contact Plesk support for deeper investigation:
    https://support.plesk.com/hc/en-us/requests/new

    0
    Comment actions Permalink
  • Avatar
    Steve Yates

    In case it helps anyone we've been getting this error periodically for a couple of months now, with the automatic renewals.  What I found is that if I wait a while and renew the certificate manually in the Plesk GUI, it works.  As in, no other changes made.  Sometimes it takes a few tries.  Note Let's Encrypt has a Failed Validation limit of 5 failures per account, per hostname, per hour (https://letsencrypt.org/docs/rate-limits/), so don't bother trying many times in a row.

    0
    Comment actions Permalink
  • Avatar
    Maxim Krasikov

    Hello @Ricard,

    Please contact Plesk technical support for assistance:
    https://support.plesk.com/hc/en-us/requests/new

    0
    Comment actions Permalink
  • Avatar
    peterbo (Edited )

    Same here - renewing Let's encrypt certificates fail, als long as the SEO redirect is active. With error: Detail: Fetching https://.well-known/acme-challenge/ic5KPO7W7NB6UfR8c6BILgfCWuqub42K9VJXXXXXX: Timeout during connect (likely firewall problem)

    The link is callable via Browsers (ip4/ip6) and displaying the correct Token.

    As soon as the SEO friendly 301-redirect is disabled, renewing works.

    What is the Status of EXTLETSENC-769 - after Lets Encrypt extension and Plesk Update to 18.0.28-2, this is still not fixed. I already hat issues with expired Certificates, because I cannot monitor hundreds of domains, aliases and subdomains. This should have high priority!

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request