Unable to install Let's Encrypt certificate either for a domain example.com in Domains > example.com > SSL/TLS Certificates or for securing Plesk in Tools & Settings > SSL/TLS Certificates > Let's Encrypt, with one of the following error messages:
Detail: Fetching http://example.com/.well-known/acme-challenge/do75fK79n_uF9JimlezVpQQQfmvHaOVd7T8cjZKVvWk: Timeout during connect (likely firewall problem)
Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/dlJ9iUsYRM51xlzLkS8KpRJYccRh1yKRUJEPgLMoRFc.
Details: Fetching https://example.com:8443/.well-known/acme-challenge/44DVtYx2WBKaujKCYO7tOxZ4nS2-m_-Ci5dLoQw0X34 Error getting validation data
An SSL / TLS certificate could not be issued for example.com
The SSL / TLS Let's Encrypt certificate could not be issued for example.com . Authorization error for the domain.
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxx.
Type: urn: ietf: params: acme: error: connection
Detail: Fetching http://example.com/.well-known/acme-challenge/DOgtM-HLdDLxfaGej39Fip168f6njHhwot47XuyGANo: Error getting validation data
example.comresolves to the IP address of the Plesk server on IPv4 and/or IPv6:
# dig +short example.com
# dig +short -t AAAA example.com
The domain example.com is hosted on the same Plesk server, and only IPv4 address is assigned to it in Domains > example.com > Web Hosting Access.
The following error might be shown when accessing http://example.com in the browser:
This site can’t be reached
Port 80 and/or 443 is filtered by a firewall:
# nmap -p 80 example.com
PORT STATE SERVICE
80/tcp filtered http
# nmap -p 443 example.com
PORT STATE SERVICE
443/tcp filtered http
Note: If domain example.com resolves to IPv4 and IPv6, HTTP and HTTPS traffic must be allowed to both networks.
- If the firewall is configured on the Plesk server, open the ports 80 and 443 for incoming connections as described in the article What ports need to be opened for all Plesk Services to work with a firewall
- If Plesk is installed on a public cloud service, follow the instructions to open ports 80 and 443: for Amazon EC2, for Amazon Lightsail, for Google Cloud, for Microsoft Azure, for Alibaba Cloud.
- If some intermediate firewall/router is configured between the Plesk server and an external network, ports 80 and 443 should be opened on it as well.
As alternative solution, when only IPv6 ports are blocked:
Go to Domains > example.com > Web Hosting Access and disable IPv6 address.
Note: If the IPv6 address is defined externally it can be removed on the registrar's side.
Unable to issue a Let's Encrypt certificate: The token file is either unreadable or does not have the read permission
What ports need to be opened for all Plesk Services to work with a firewall