Articles in this section

Unable to issue Let's Encrypt Certificate : Status : 400 Timeout during connect (likely firewall problem)

Vincent Lauton
Updated
Plesk for Windows Plesk for Linux kb: technical ext: sslit

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Symptoms

  • Attempt to issue a Let's encrypt certificate fails with the error:

    PLESK_ERROR: We can not create an SSL Certificate for example.com:
    Type: urn:ietf:params:acme:error:connection
    Status: 400
    Detail: 203.0.113.2: Fetching https://example.com/.well-known/acme-challenge/YqQkDV1cAaR_L7F45tDIoWCBYX9QX3ReoPEgayOb2: Timeout during connect (likely firewall problem).

  • Ports 443 and 80 are open for the IP address from which the website loads
  • Trying to Curl the address fails with one of the following a:

    # curl https://example.com/.well-known/acme-challenge/YqQkDV1cAaR_L7F45tDIoWCBYX9QX3ReoPEgayOb2:
    curl: (51) SSL: no alternative certificate subject name matches target host name 'example.com'

    # curl https://examplecom/.well-known/acme-challenge/wEazPf4SbPyWqsQjiRInl-BS0pD2LcJvWqrghiQom-w
    curl: (60) SSL certificate problem: certificate has expired
    More details here: https://curl.haxx.se/docs/sslcerts.html

  • Visiting the HTTP address shows that a redirection is happening:

    # curl -I http://example.com/.well-known/acme-challenge/YqQkDV1cAaR_L7F45tDIoWCBYX9QX3ReoPEgayOb2
    <html>
    <head><title>301 Moved Permanently</title></head>
    <body>
    <center><h1>301 Moved Permanently</h1></center>
    <hr><center>nginx</center>
    </body>
    </html>

Cause

Validation fails, because HTTP to HTTPS SEO redirection is happening and the Let's Encrypt servers need to access the URL like http://example.com/.well-known/acme-challenge/YqQkDV1cAaR_L7F45tDIoWCBYX9QX3ReoPEgayOb2 via HTTP , however since the SSL certificate is either expired or not functioning properly while HTTP to HTTPS SEO redirection is enabled, this causes another error and the URL becomes unreachable.

Resolution

  1. Log into Plesk
  2. Go to Domains > example.com > Hosting & DNS > Hosting
  3. Disable Redirect visitors from HTTP to HTTPS via a SEO friendly 301 redirect
  4. Issue the Let's Encrypt SSL certificate for this domain again
  5. Re-enable Redirect visitors from HTTP to HTTPS via a SEO friendly 301 redirect
Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.