Applicable to:
- Plesk for Linux
Symptoms
-
Can't issue or reissue Let's Encrypt certificate for a domain or the Plesk panel hostname, while receiving an error that is similar to the following:
Detail: Fetching http://example.com/.well-known/acme-challenge/do75fK79n_uF9JimlezVpQQQfmvHaOVd7T8cjZKVvWk: Timeout during connect (likely firewall problem)
Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/dlJ9iUsYRM51xlzLkS8KpRJYccRh1yKRUJEPgLMoRFc.
Type: urn:acme:error:connection
Status: 400
Details: Fetching https://example.com:8443/.well-known/acme-challenge/44DVtYx2WBKaujKCYO7tOxZ4nS2-m_-Ci5dLoQw0X34 Error getting validation dataAn SSL / TLS certificate could not be issued for example.com
The SSL / TLS Let's Encrypt certificate could not be issued for example.com. Authorization error for the domain.
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxx.
Type: urn: ietf: params: acme: error: connection
Status: 400
Detail: Fetching http://example.com/.well-known/acme-challenge/DOgtM-HLdDLxfaGej39Fip168f6njHhwot47XuyGANo: Error getting validation dataCould not issue an SSL/TLS certificate for example.com
Details
Could not request a Let's Encrypt SSL/TLS certificate for example.com.
Go to http://example.com/.well-known/acme-challenge/jIdPOz-AJnOaU8bJUgwh50yrgPNeW-hBvpm-rnonHl8
and сheck if the authorization token is available.
If it is, try to request the certificate again. If the token is not available, there may be an issue with your DNS configuration.
Your domain in Plesk is hosted on the IP address(es): , but the DNS challenge used another IP: 203.0.113.2.
Make sure that the IP address(es) specified in the domain's DNS zone match the IP address(es) the domain is hosted on.
If it does not help or if you cannot find an issue with your DNS configuration, use this KB article for troubleshooting. -
The related domain itself resolves to the correct Plesk server IP address via port 443 (HTTPS)
-
Opening the site in a browser via HTTP may display an error that is similar to the following:
This site can’t be reached
ERR_CONNECTION_TIMED_OUTNot Found
HTTP Error 404. The requested resource is not found.
Cause
Port 80 (HTTP) for the server IP address is filtered by a firewall that resides on the server or on a level above it and a connection to the web server directory and the Let's Encrypt validation token via that port is not possible:
# nmap -Pn -p80 example.com
...
PORT STATE SERVICE
80/tcp filtered http
Note: Let's Encrypt validation servers can only use the HTTP-01 challenge while establishing a connection to the target validation token via port 80 (HTTP protocol), which can be confirmed on the following page of the Let's Encrypt documentation:
HTTP-01 challenge | Challenge Types - Let's Encrypt
Resolution
Open the web server port 80 for the server IP address in all of the used firewall solutions.
Note: If the issue persists, contact the ISP, hosting provider, or network administrator for assistance locating and opening the block.
- To automatically configure the internal firewall to allow all necessary connections, use Plesk Firewall. Additional software (like Imunify360) must also be configured according to its documentation.
- For external firewalls, follow the appropriate guide (contact the hosting provider if not listed): Amazon EC2, Lightsail, Google Cloud, Azure, Alibaba Cloud.
Comments
0 comments
Please sign in to leave a comment.