Knowledge Base

Unable to issue Let’s Encrypt certificate in Plesk: “Timeout during connect (likely firewall problem)” OR “Error getting validation data”

Symptoms

Unable to install Let's Encrypt certificate either for a domain example.com in Domains > example.com > SSL/TLS Certificates or for securing Plesk in Tools & Settings > SSL/TLS Certificates > Let's Encrypt, with one of the following error messages:

Detail: Fetching http://example.com/.well-known/acme-challenge/do75fK79n_uF9JimlezVpQQQfmvHaOVd7T8cjZKVvWk: Timeout during connect (likely firewall problem)

Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
Details:
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/dlJ9iUsYRM51xlzLkS8KpRJYccRh1yKRUJEPgLMoRFc.
Details:
Type: urn:acme:error:connection
Status: 400
Details: Fetching https://example.com:8443/.well-known/acme-challenge/44DVtYx2WBKaujKCYO7tOxZ4nS2-m_-Ci5dLoQw0X34 Error getting validation data

An SSL / TLS certificate could not be issued for example.com
Details
The SSL / TLS Let's Encrypt certificate could not be issued for example.com . Authorization error for the domain.
Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxx.
Details:
Type: urn: ietf: params: acme: error: connection
Status: 400
Detail: Fetching http://example.com/.well-known/acme-challenge/DOgtM-HLdDLxfaGej39Fip168f6njHhwot47XuyGANo: Error getting validation data
The domain example.com resolves to the IP address of the Plesk server on IPv4 and/or IPv6:

# dig +short example.com
203.0.113.2

# dig +short -t AAAA example.com
2001:db8:f61:a1ff:0:0:0:80
The domain example.com is hosted on the same Plesk server, and only IPv4 address is assigned to it in Domains > example.com > Web Hosting Access.
The following error might be shown when accessing http://example.com in the browser:

This site can’t be reached
ERR_CONNECTION_TIMED_OUT

Cause

Port 80 and/or 443 is filtered by a firewall:

# nmap -p 80 example.com
...
PORT STATE SERVICE
80/tcp filtered http

# nmap -p 443 example.com
PORT STATE SERVICE
443/tcp filtered http

Resolution

Note: If domain example.com resolves to IPv4 and IPv6, HTTP and HTTPS traffic must be allowed to both networks.

If the firewall is configured on the Plesk server, open the ports 80 and 443 for incoming connections as described in the article What ports need to be opened for all Plesk Services to work with a firewall
If Plesk is installed on a public cloud service, follow the instructions to open ports 80 and 443: for Amazon EC2, for Amazon Lightsail, for Google Cloud, for Microsoft Azure, for Alibaba Cloud.
If some intermediate firewall/router is configured between the Plesk server and an external network, ports 80 and 443 should be opened on it as well.

As alternative solution, when only IPv6 ports are blocked:

Log in to Plesk
Go to Domains > example.com > Web Hosting Access and disable IPv6 address.

Note: If the IPv6 address is defined externally it can be removed on the registrar's side.