Unable to issue Let’s Encrypt certificate in Plesk: “Timeout during connect (likely firewall problem)” OR “Error getting validation data”

Symptoms

• Unable to install Let's Encrypt certificate either for a domain example.com in Domains > example.com > SSL/TLS Certificates or for securing Plesk in Tools & Settings > SSL/TLS Certificates > Let's Encrypt, with one of the following error messages:

  Detail: Fetching http://example.com/.well-known/acme-challenge/do75fK79n_uF9JimlezVpQQQfmvHaOVd7T8cjZKVvWk: Timeout during connect (likely firewall problem)

  ---

  Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
  Details:
  Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/dlJ9iUsYRM51xlzLkS8KpRJYccRh1yKRUJEPgLMoRFc.
  Details:
  Type: urn:acme:error:connection
  Status: 400
  Details: Fetching https://example.com:8443/.well-known/acme-challenge/44DVtYx2WBKaujKCYO7tOxZ4nS2-m_-Ci5dLoQw0X34 Error getting validation data

  ---

  An SSL / TLS certificate could not be issued for example.com
  Details
  The SSL / TLS Let's Encrypt certificate could not be issued for example.com . Authorization error for the domain.
  Details
  Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxx.
  Details:
  Type: urn: ietf: params: acme: error: connection
  Status: 400
  Detail: Fetching http://example.com/.well-known/acme-challenge/DOgtM-HLdDLxfaGej39Fip168f6njHhwot47XuyGANo: Error getting validation data

• The domain example.com resolves to the IP address of the Plesk server on IPv4 and/or IPv6:

  # dig +short example.com
  203.0.113.2

  ---

  # dig +short -t AAAA example.com
  2001:db8:f61:a1ff:0:0:0:80

• The domain example.com is hosted on the same Plesk server, and only IPv4 address is assigned to it in Domains > example.com > Web Hosting Access.

• The following error might be shown when accessing http://example.com in the browser:

  This site can’t be reached
  ERR_CONNECTION_TIMED_OUT

Cause

Port 80 and/or 443 is filtered by a firewall:

# nmap -p 80 example.com
...
PORT STATE SERVICE
80/tcp filtered http

---

# nmap -p 443 example.com
PORT STATE SERVICE
443/tcp filtered http

Resolution

Note: If domain example.com resolves to IPv4 and IPv6, HTTP and HTTPS traffic must be allowed to both networks.

• If the firewall is configured on the Plesk server, open the ports 80 and 443 for incoming connections as described in the article What ports need to be opened for all Plesk Services to work with a firewall
• If Plesk is installed on a public cloud service, follow the instructions to open ports 80 and 443: for Amazon EC2, for Amazon Lightsail, for Google Cloud, for Microsoft Azure, for Alibaba Cloud.
• If some intermediate firewall/router is configured between the Plesk server and an external network, ports 80 and 443 should be opened on it as well.

As alternative solution, when only IPv6 ports are blocked:

1. Log in to Plesk

2. Go to Domains > example.com > Web Hosting Access and disable IPv6 address.

   Note: If the IPv6 address is defined externally it can be removed on the registrar's side.

Additional Information

Unable to issue a Let's Encrypt certificate: The token file is either unreadable or does not have the read permission

What ports need to be opened for all Plesk Services to work with a firewall