Articles in this section

Unable to install Let's Encrypt SSL: Timeout during connect (likely firewall problem): Domain ports 80 and 443 are not accessible from certain locations

Daniel Yordanov
Updated
Plesk for Windows Plesk for Linux kb: technical ext: sslit

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Symptoms

  • Installation of a Let's Encrypt SSL on a Plesk domain fails with an error that is similar to the following:

PLESK_ERROR: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/****.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching http://example.com/.well-known/acme-challenge/tXc5R9lB_xBqplWub_cGNOksJH1ZnF3_D7WotMqGFZc: Timeout during connect (likely firewall problem)

  • Domain is not accessible from certain locations or certain countries with:

CONFIG_TEXT: ERR_CONNECTION_TIMED_OUT

  • Connecting to Plesk server IP on port 80 and 443 fails from certain locations or countries:

# telnet 203.0.113.2 80
Connecting To 203.0.113.2...Could not open connection to the host, on port 80: Connect failed 

Cause

Access to the domain via port 80 and 443 is blocked completely or is being filtered for entire locations or countries on a network level above the Plesk server itself, due to which the Let's Encrypt verification servers cannot fetch the verification token of the domain.

Let's Encrypt verification servers exist in many different locations around the world and when these Let's Encrypt verification servers attempt to verify SSL orders, they attempt to open the HTTP Let's Encrypt token URL such as http://example.com/.well-known/acme-challenge/tXc5R9lB_xBqplWub_cGNOksJH1ZnF3_D7WotMqGFZc to verify the challenge via the token file.

If they cannot open that token file for any reason, the SSL order verification process fails with Timeout during connect (likely firewall problem).

Resolution

Contact your server provider (or your own internet service provider, if it is a home server) with a request to check why some ports for your server's IP address, including 443 and 80 are only accessible from some locations and countries around the globe.

Networking tasks such as country restrictions and traffic filtering should be handled by the server owner, as Plesk is a part of the server infrastructure and cannot affect anything on levels above the server, due to which it depends on what the networking layer configurations above it are.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.