Knowledge Base

Unable to issue Let’s Encrypt certificate in Plesk: “Connection refused” or “Error getting validation data”

 
applications extensionscentosfirewallhttpsletsencrypt

Symptoms

  • Unable to issue Let’s Encrypt certificate for example.com:

    PLESK_ERROR: Error: Could not issue a Let’s Encrypt SSL/TLS certificate for example.com Authorization for the domain failed.
    Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/Zsp9keucq_5bElhpjJS4VlApIYjwHcr9Tzr6Vb-0N9c.
    Details:
    Type: urn:acme:error:connection
    Status: 400
    Detail: Fetching http://example.com/.well-known/acme-challenge/A0w1TWCsHraPRVnbD8Ds8o1FaiIv19Q-4wifWlGHv_0: Connection refused

    or

    PLESK_ERROR: Error: Could not issue a Let’s Encrypt SSL/TLS certificate for example.com Authorization for the domain failed.
    Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/Zsp9keucq_5bElhpjJS4VlApIYjwHcr9Tzr6Vb-0N9c.
    Details:
    Type: urn:acme:error:connection
    Status: 400
    Detail: Fetching https://www.example.com/.well-known/acme-challenge/Jp2aL_WXqqouVCnjLlEBGtzJwCezl006nviGzgKUVZA: Error getting validation data

Cause

Firewall settings filter 80 and/or 443 ports via IPv6.

Resolution

Either one of the following actions can be performed in order to avoid this problem:

Click on a section to expand

Modify firewall rules and allow incoming IPv6 connections (Recommended)

  1. Log in to Plesk via SSH

  2. Allow incoming IPv6 connections to TCP ports 443 and 80:

    # ip6tables -I INPUT 1 -p tcp –dport 80 -j ACCEPT

    # ip6tables -I INPUT 1 -p tcp –dport 443 -j ACCEPT

  3. Make the rules permanent:

    Debian/Ubuntu:

    # ip6tables-save > /etc/iptables/rules.v6

    RHEL/CentOS:

    # ip6tables-save > /etc/sysconfig/ip6tables

Note: If the issue still persists after opening port, there may be an intermediate firewall between. In this case, it is required to contact the service provider or, alternatively, contact the registrar and disable AAAA records for the domain.

Temporary disable IPv6 on the server

  1. Log in to Plesk via SSH

  2. Disable IPv6 on the server:

    # sysctl -w net.ipv6.conf.all.disable_ipv6=1

    # sysctl -w net.ipv6.conf.default.disable_ipv6=1

  3. Issue the certificate

  4. Enable IPv6 again:

    # sysctl -w net.ipv6.conf.all.disable_ipv6=0

    # sysctl -w net.ipv6.conf.default.disable_ipv6=0

  5. Restart network service (this doesn’t cause any downtime or connection lost):

    Debian/Ubuntu:

    # service networking restart

    RHEL/CentOS:

    # service network restart

Note: This is a temporary workaround and the next automatic renewal may fail the same way.

Read the full article
Related Posts
Knowledge Base

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2021 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.

Managed with 💙  with Plesk WordPress Toolkit

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt