Unable to issue a Let's Encrypt certificate: The token file is either unreadable or does not have the read permission

Symptoms

• Installation of a Let's Encrypt certificate fails with one of the following error message in Plesk UI:

  PLESK_ERROR: The authorization token is not available at http://example.com/.well-known/acme-challenge/Ab87T7gZtQeJBq0C2I44O9egoe-WXTTlE-hBmdvDCHM.
  The token file 'С:\Inetpub\vhosts\example.com\.well-known\acme-challenge\Ab87T7gZtQeJBq0C2I44O9egoe-WXTTlE-hBmdvDCHM' is either unreadable or does not have the read permission.

  PLESK_ERROR: Detail: Fetching https:/example.com/.well-known/acme-challenge/zQgf775Mm4z72VrrSybdlS725tk1IuSTrrwBaEoqzOg: **Error getting validation data

  PLESK_ERROR: Could not issue an SSL/TLS certificate for example.com
  Details
  Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
  Details
  Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/1708718328.
  Details:
  Type: urn:ietf:params:acme:error:connection
  Status: 400
  Detail: Fetching https://www.example.com/.well-known/acme-challenge/8DdIKX257k6Dih5s_saeVMpTnjPJdKO5Ase0OCiJrIw: Timeout during connect (likely firewall problem)

• Optional symptoms for Windows:

  • A test .html file located in the directory mentioned in the error, e.g С:\Inetpub\vhosts\example.com\.well-known\acme-challenge, is not accessible from the Internet with the following error message in a browser:

    PLESK_INFO: HTTP Error 403.14 - Forbidden
    The page you are trying to access is secured with Secure Sockets Layer (SSL).

  • The following warning can be found at Plesk > Domains > example.com > Logs:

    PLESK_INFO: WARN [extension/letsencrypt] Cannot check the token file is readable by others

Cause

Rewrite rules to HTTPS that are enabled in domain settings prevent the issuing of a Let's Encrypt certificate that is works only via HTTP.

Resolution

1. Log into Plesk.

2. Go to Domains > example.com > File Manager and remove .well-known directory.

3. Temporary disable the option Permanent SEO-safe 301 redirect from HTTP to HTTPS at Domains > example.com > Hosting Settings:
   

4. Disable custom redirect rules:

   for Linux:

   • Rename .htaccess file into .htaccess.orig: Open Domains > example.com > File Manager > Click next to the .htaccess file > click Rename.
   for Windows:

   • Temporary disable the option Require SSL/TLS at Domains > example.com > IIS Settings:
     

   • Rename web.config file into web.config.orig: Open Domains > example.com > File Manager > Click next to the web.config file > click Rename.

   • Connect to the server via RDP and disable all HTTP<->HTTPS rules in IIS Manager at Server > Sites > example.com > URL Rewrite:
     

5. Install a Let's Encrypt certificate at Domains > example.com > Let's Encrypt.

Additional Information

Failed to issue a Let's Encrypt certificate: 404 Not Found.