Applicable to:
- Plesk for Linux
Symptoms
-
Unable to issue Let's Encrypt certificate for example.com:
Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com Authorization for the domain failed.
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/Zsp9keucq_5bElhpjJS4VlApIYjwHcr9Tzr6Vb-0N9c.
Details:
Type: urn:acme:error:connection
Status: 400
Detail: Fetching http://example.com/.well-known/acme-challenge/A0w1TWCsHraPRVnbD8Ds8o1FaiIv19Q-4wifWlGHv_0: Connection refused
Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com Authorization for the domain failed.
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/Zsp9keucq_5bElhpjJS4VlApIYjwHcr9Tzr6Vb-0N9c.
Details:
Type: urn:acme:error:connection
Status: 400
Detail: Fetching https://www.example.com/.well-known/acme-challenge/Jp2aL_WXqqouVCnjLlEBGtzJwCezl006nviGzgKUVZA: Error getting validation data
-
Two IP addresses (IPv6 and IPv4) assigned for the domain, and 80 and/or 443 ports for one of them is filtered:
# nmap -Pn -6 example.com -p80,443
Starting Nmap 6.47 ( http://nmap.org ) at 2019-02-26 12:47 +07
Nmap scan report for example.com (2001:db8:f61:a1ff:0:0:0:80)
. . .
PORT STATE SERVICE
80/tcp filtered http
443/tcp filtered https# nmap -Pn example.com -p80,443
Starting Nmap 6.47 ( http://nmap.org ) at 2019-02-26 12:47 +07
Nmap scan report for example.com (203.0.113.2)
. . .
PORT STATE SERVICE
80/tcp open http
443/tcp open https -
Checking website connectivity shows the following:
# wget -S --spider http://example.com
...
Connecting to example.com| 2001:db8:f61:a1ff:0:0:0:80 :80|:80... failed: Connection refused.
... -
Checking IP connectivity via telnet shows the following:
# telnet 2001:db8:f61:a1ff:0:0:0:80 80
Trying 2001:db8:f61:a1ff:0:0:0:80...
telnet: Unable to connect to remote host: Network is unreachable
Cause
Firewall settings filter 80 and/or 443 ports.
Resolution
Modify firewall rules to allow incoming connections:
-
Log in to Plesk via SSH
-
Allow incoming connections to TCP ports 443 and 80:
-
For IPv4 connections, allow ports 80 and 443 using Plesk firewall
-
In case IPv6 is used, add firewall rules to ip6tables:
-
Execute the following commands:
# ip6tables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
# ip6tables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
-
Make the rules permanent:
Debian/Ubuntu:
# ip6tables-save > /etc/iptables/rules.v6
RHEL/CentOS:
# ip6tables-save > /etc/sysconfig/ip6tables
-
-
Note: If the issue still persists after opening port, there may be an intermediate firewall between. In this case, it is required to contact the service provider, or alternatively contact the registrar and disable AAAA records for the domain.
Alternative workaround for IPv6 issue
-
Log in to Plesk via SSH
-
Disable IPv6 on the server:
# sysctl -w net.ipv6.conf.all.disable_ipv6=1
# sysctl -w net.ipv6.conf.default.disable_ipv6=1
-
Issue the certificate
-
Enable IPv6 again:
# sysctl -w net.ipv6.conf.all.disable_ipv6=0
# sysctl -w net.ipv6.conf.default.disable_ipv6=0
-
Restart network service (this doesn't cause any downtime or connection lost):
Debian/Ubuntu:
# service networking restart
RHEL/CentOS:
# service network restart
Note: This is a temporary workaround and the next automatic renewal may fail the same way.
Comments
1 comment
Having rules like those is not why I took Plesk. Anyway, I manged to execute them. The instructions do not mention that you need to install iptables first.
After that, I managed to execute these rules, but the error when trying to create a certificate remains the same. The only workaround is to remove ipv6 assignment in the domain hostsettings, and the AAAA record from the DNS service.
Please sign in to leave a comment.