Knowledge Base

Can’t issue or reissue Let’s Encrypt certificate in Plesk: Timeout during connect (likely firewall problem) / Error getting validation data

Symptoms

Can't issue or reissue Let's Encrypt certificate for a domain or the Plesk panel hostname, while receiving an error that is similar to the following:

Detail: Fetching http://example.com/.well-known/acme-challenge/do75fK79n_uF9JimlezVpQQQfmvHaOVd7T8cjZKVvWk: Timeout during connect (likely firewall problem)

Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/dlJ9iUsYRM51xlzLkS8KpRJYccRh1yKRUJEPgLMoRFc.
Type: urn:acme:error:connection
Status: 400
Details: Fetching https://example.com:8443/.well-known/acme-challenge/44DVtYx2WBKaujKCYO7tOxZ4nS2-m_-Ci5dLoQw0X34 Error getting validation data

An SSL / TLS certificate could not be issued for example.com
The SSL / TLS Let's Encrypt certificate could not be issued for example.com. Authorization error for the domain.
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxx.
Type: urn: ietf: params: acme: error: connection
Status: 400
Detail: Fetching http://example.com/.well-known/acme-challenge/DOgtM-HLdDLxfaGej39Fip168f6njHhwot47XuyGANo: Error getting validation data

Could not issue an SSL/TLS certificate for example.com
Details
Could not request a Let's Encrypt SSL/TLS certificate for example.com.
Go to http://example.com/.well-known/acme-challenge/jIdPOz-AJnOaU8bJUgwh50yrgPNeW-hBvpm-rnonHl8
and сheck if the authorization token is available.
If it is, try to request the certificate again. If the token is not available, there may be an issue with your DNS configuration.
Your domain in Plesk is hosted on the IP address(es): , but the DNS challenge used another IP: 203.0.113.2.
Make sure that the IP address(es) specified in the domain's DNS zone match the IP address(es) the domain is hosted on.
If it does not help or if you cannot find an issue with your DNS configuration, use this KB article for troubleshooting.
The related domain itself resolves to the correct Plesk server IP address via port 443 (HTTPS)
Opening the site in a browser via HTTP may display an error that is similar to the following:

This site can’t be reached
ERR_CONNECTION_TIMED_OUT

Not Found
HTTP Error 404. The requested resource is not found.

Cause

Port 80 (HTTP) for the server IP address is filtered by a firewall that resides on the server or on a level above it and a connection to the web server directory and the Let's Encrypt validation token via that port is not possible:

# nmap -Pn -p80 example.com
...
PORT STATE SERVICE
80/tcp filtered http

Note: Let's Encrypt validation servers can only use the HTTP-01 challenge while establishing a connection to the target validation token via port 80 (HTTP protocol), which can be confirmed on the following page of the Let's Encrypt documentation:
HTTP-01 challenge | Challenge Types - Let's Encrypt

Resolution

Open the web server port 80 for the server IP address in all of the used firewall solutions.

Note: If the issue persists, contact the ISP, hosting provider, or network administrator for assistance locating and opening the block.

To automatically configure the external firewall to allow all necessary connections, use Plesk Firewall. Additional software (like Imunify360) must also be configured…

Could not issue a Let’s Encrypt certificate: DNS zone contains an AAAA record, but the domain is not assigned an IPv6 address in Plesk

A website hosted in Plesk fails to load when Cloudflare is used: ERR_TOO_MANY_REDIRECTS

A website hosted in Plesk uses an old SSL certificate or is not accessible via HTTPS: ERR_CONNECTION_RESET

Let’s Encrypt certificate installation fails for a domain in Plesk for Windows Server: The authorization token is not available

Hosting Wiki