Symptoms
-
Unable to issue Let’s Encrypt certificate for example.com:
PLESK_ERROR: Error: Could not issue a Let’s Encrypt SSL/TLS certificate for example.com Authorization for the domain failed.
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/Zsp9keucq_5bElhpjJS4VlApIYjwHcr9Tzr6Vb-0N9c.
Details:
Type: urn:acme:error:connection
Status: 400
Detail: Fetching http://example.com/.well-known/acme-challenge/A0w1TWCsHraPRVnbD8Ds8o1FaiIv19Q-4wifWlGHv_0: Connection refusedor
PLESK_ERROR: Error: Could not issue a Let’s Encrypt SSL/TLS certificate for example.com Authorization for the domain failed.
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/Zsp9keucq_5bElhpjJS4VlApIYjwHcr9Tzr6Vb-0N9c.
Details:
Type: urn:acme:error:connection
Status: 400
Detail: Fetching https://www.example.com/.well-known/acme-challenge/Jp2aL_WXqqouVCnjLlEBGtzJwCezl006nviGzgKUVZA: Error getting validation data
Cause
Firewall settings filter 80 and/or 443 ports via IPv6.
Resolution
Either one of the following actions can be performed in order to avoid this problem:
Click on a section to expand
Modify firewall rules and allow incoming IPv6 connections (Recommended)
-
Log in to Plesk via SSH
-
Allow incoming IPv6 connections to TCP ports 443 and 80:
# ip6tables -I INPUT 1 -p tcp –dport 80 -j ACCEPT
# ip6tables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
-
Make the rules permanent:
Debian/Ubuntu:
# ip6tables-save > /etc/iptables/rules.v6
RHEL/CentOS:
# ip6tables-save > /etc/sysconfig/ip6tables
Note: If the issue still persists after opening port, there may be an intermediate firewall between. In this case, it is required to contact the service provider or, alternatively, contact the registrar and disable AAAA records for the domain.
Temporary disable IPv6 on the server
-
Log in to Plesk via SSH
-
Disable IPv6 on the server:
# sysctl -w net.ipv6.conf.all.disable_ipv6=1
# sysctl -w net.ipv6.conf.default.disable_ipv6=1
-
Issue the certificate
-
Enable IPv6 again:
# sysctl -w net.ipv6.conf.all.disable_ipv6=0
# sysctl -w net.ipv6.conf.default.disable_ipv6=0
-
Restart network service (this doesn’t cause any downtime or connection lost):
Debian/Ubuntu:
# service networking restart
RHEL/CentOS:
#Â service network restart
Note: This is a temporary workaround and the next automatic renewal may fail the same way.