Can't issue or reissue Let's Encrypt certificate in Plesk: Timeout during connect (likely firewall problem) / Error getting validation data

Symptoms

• Can't issue or reissue Let's Encrypt certificate for a domain or the Plesk panel hostname, while receiving an error that is similar to the following:

  Detail: Fetching http://example.com/.well-known/acme-challenge/do75fK79n_uF9JimlezVpQQQfmvHaOVd7T8cjZKVvWk: Timeout during connect (likely firewall problem)

  Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
  Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/dlJ9iUsYRM51xlzLkS8KpRJYccRh1yKRUJEPgLMoRFc.
  Type: urn:acme:error:connection
  Status: 400
  Details: Fetching https://example.com:8443/.well-known/acme-challenge/44DVtYx2WBKaujKCYO7tOxZ4nS2-m_-Ci5dLoQw0X34 Error getting validation data

  An SSL / TLS certificate could not be issued for example.com
  The SSL / TLS Let's Encrypt certificate could not be issued for example.com. Authorization error for the domain.
  Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxx.
  Type: urn: ietf: params: acme: error: connection
  Status: 400
  Detail: Fetching http://example.com/.well-known/acme-challenge/DOgtM-HLdDLxfaGej39Fip168f6njHhwot47XuyGANo: Error getting validation data
  
  

  Could not issue an SSL/TLS certificate for example.com
  Details
  Could not request a Let's Encrypt SSL/TLS certificate for example.com.
  Go to http://example.com/.well-known/acme-challenge/jIdPOz-AJnOaU8bJUgwh50yrgPNeW-hBvpm-rnonHl8
  and сheck if the authorization token is available.
  If it is, try to request the certificate again. If the token is not available, there may be an issue with your DNS configuration.
  Your domain in Plesk is hosted on the IP address(es): 2001:db8:f61:a1ff:0:0:0:80, but the DNS challenge used another IP: 203.0.113.2.
  Make sure that the IP address(es) specified in the domain's DNS zone match the IP address(es) the domain is hosted on.
  If it does not help or if you cannot find an issue with your DNS configuration, use this KB article for troubleshooting.

  Despite the fact that this error message suggests DNS issues, it's actually displayed if port 80 is inaccessible too. The error message will be reworked to be more clear in scope of #EXTLETSENC-1235

• The related domain itself resolves to the correct Plesk server IP address via port 443 (HTTPS)

• Opening the site in a browser via HTTP may display an error that is similar to the following:

  This site can’t be reached
  ERR_CONNECTION_TIMED_OUT

  Not Found
  HTTP Error 404. The requested resource is not found.

Cause

Port 80 (HTTP) for the server IP address is filtered by a firewall that resides on the server or on a level above it and a connection to the web server directory and the Let's Encrypt validation token via that port is not possible:

# curl http://example.com/.well-known/acme-challenge/q3HovILzhuoPvjNiUNP_m1flsnpkK5wJ9bQwEvXwexs
<!DOCTYPE html>
<html>
<head>
<title>401 Authentication required</title>
</head>
<body>
<h1>Error 401 Authentication required</h1>
<p>Authentication required</p>
<h3>Guru Meditation:</h3>
<p>XID: 0107325</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

# nmap -Pn -p80 example.com
...
PORT STATE SERVICE
80/tcp filtered http

Note: Let's Encrypt validation servers can only use the HTTP-01 challenge while establishing a connection to the target validation token via port 80 (HTTP protocol), which can be confirmed on the following page of the Let's Encrypt documentation:
HTTP-01 challenge | Challenge Types - Let's Encrypt

Resolution

Open the web server port 80 for the server IP address in all of the used firewall solutions.

Additionally, if you are using an external DNS service (such as Cloudflare) for the related domain, make sure traffic over port 80 and HTTP for the domain is also configured to reach the exact same web server that traffic over port 443 and HTTPS reaches.

Note: If the issue persists, contact the ISP, hosting provider, or network administrator for assistance locating and opening the block.

• To automatically configure the internal firewall to allow all necessary connections, you should install and use Plesk Firewall. Additional software (like Imunify360) must also be configured according to its documentation.
• For external firewalls, follow the appropriate guide (contact the hosting provider if not listed): Cloudflare, Amazon EC2, Lightsail, Google Cloud, Azure, Alibaba Cloud.