Unable to issue Let’s Encrypt certificate in Plesk: “Connection refused” or “Error getting validation data” or “Connection reset by peer”

Symptoms

• Unable to issue Let's Encrypt certificate for example.com:

  Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com Authorization for the domain failed.
  Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/Zsp9keucq_5bElhpjJS4VlApIYjwHcr9Tzr6Vb-0N9c.
  Details:
  Type: urn:acme:error:connection
  Status: 400
  Detail: Fetching http://example.com/.well-known/acme-challenge/A0w1TWCsHraPRVnbD8Ds8o1FaiIv19Q-4wifWlGHv_0: Connection refused

  ---

  Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com Authorization for the domain failed.
  Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/Zsp9keucq_5bElhpjJS4VlApIYjwHcr9Tzr6Vb-0N9c.
  Details:
  Type: urn:acme:error:connection
  Status: 400
  Detail: Fetching https://www.example.com/.well-known/acme-challenge/Jp2aL_WXqqouVCnjLlEBGtzJwCezl006nviGzgKUVZA: Error getting validation data

Cause

Firewall settings filter 80 and/or 443 ports.

Resolution

Modify firewall rules to allow incoming connections:

1. Log in to Plesk via SSH

2. Allow incoming connections to TCP ports 443 and 80:

   1. For IPv4 connections, allow ports 80 and 443 using Plesk firewall

   2. In case IPv6 is used, add firewall rules to ip6tables:

      1. Execute the following commands:

         # ip6tables -I INPUT 1 -p tcp --dport 80 -j ACCEPT

         # ip6tables -I INPUT 1 -p tcp --dport 443 -j ACCEPT

      2. Make the rules permanent:

         Debian/Ubuntu:

         # ip6tables-save > /etc/iptables/rules.v6

         RHEL/CentOS:

         # ip6tables-save > /etc/sysconfig/ip6tables

Note: If the issue still persists after opening port, there may be an intermediate firewall between. In this case, it is required to contact the service provider, or alternatively contact the registrar and disable AAAA records for the domain.