• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Letsencrypt SSL problem for hosting type alias domains

nisamudeen97

nisamudeen97

Regular Pleskian
Hi,

I am getting the below error for main domain while trying to add SSL for my alias domain. My problem is i need to get redirection work when ever https is called for my domain. Currently I am getting https warning.

let me explain

1. Domain.com real domain
2. Domain-alias.com the domain name to which domain.com forwards to

when ever I try to configure ssl for domain.com i get the below error.


Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/iEmkJZA84JSVgdXEpUf658XtpoNr0nzwwC6mQj7AmuM.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching Website Domains Names & Hosting | Domain.com: Timeout during connect (likely firewall problem)
 
This error basically says that the Let's Encrypt servers are unable to connect to your domain to retrieve the Let's Encrypt validation token.

Check the following things:
1) Does your domain resolve to the correct IP address? Both with and without www. ?
2) Does your firewall permit connections to ports 80 and 443 from the outside world?
 
Hi,

1. Already checked and it resolves as needed. Both with and without www
2. Yes I have firewall and it is allowing to connect to port 80 and 443 from outside
 
Hi,

Thx for the clarification. I was trying to install SSL for multi alias domains. Ie there was a list of 28 domains and 4th one in the list had missing DNS for www and hence everything from 4 to 28 was getting failed. So what I understand is if in a list one fails all below will fail.


Issue is solved.
 
I have the same problem, with new or renew SSL with the Plesk Extention on 2 Servers.

Timeout during connect (likely firewall problem) ???????

This mistake is only recently - can this a bug since the last version ?!?!


With and without Firewall - ports are allways open...
DIG resolvt the correct IP...


I'm almost crazy - What else can I test?

Thank you for your help.
 
Last edited:
Welcome to the broken world of LetsEncrypt

We have dozens of servers, where we experience the very same problem since a couple weeks.
It's not Plesk directly that's to blame, as we do also run standalone Windows servers with handwritten scripts and tools (for requesting and renewing LetsEncrypt certificates) were we have these errors.

These happen when the original validation requests by LetsEncypt gets redirected (301 or 302) to a different URL. In these cases the validation often fails and will result in this "Timeout during connect" error.
In case of Plesk, it's unfortunately the defacto standard to have all these validation requests redirected. (due to https and primary domain enforcement on the website itself)


What we have observed so far, is that the validation of an url/domain will succeed if you try it a second time.
So, just try to manually renew this certificate in the Plesk panel again and it should work.
Of course, if you have multiple alias domains on that website, you may need to do that many times......


So far we did not find a solution, well except getting rid of http 301/302 redirection for the validation of LetsEncypt when using the http-01 method..
Unfortunately this would be something that needs to be changed by Plesk.

I was never a fan of the current implementation, where the validation (.well-known/acme-challange) is placed on the website itself.
This just asks for troubles due to redirects and rewrites created by customers and you have no control over.

It would be way better to intercept the .well-known/acme-challange requests on a global scale with an nginx configuration snippet like this in every vhost
Code: 
location /.well-known/acme-challenge/ {
        root /opt/letsencrypt/acme-challenge;
}
 
STOP - our server was not IPv6 ready :( This was my mistake :oops:

I added the following lines in /etc/sysconfig/network-scripts/ifcfg-eth0

+> IPV6ADDR=2a01:238:43be:bc00::2/64
+> IPV6_DEFAULTGW=fe80::1
+> IPV6_DEFAULTDEV=eth0

For what is the "IPV6ADDR_SECONDARIES=" line?

And now IPv6 and Let´s Encrypte ready

Thank You
 
You must log in or register to reply here.

Similar threads

M
Issue Wordpress MU alias domains with Let's Encrypt - hit the error: Order cannot contain more than 100 DNS names
Replies
1
Views
134
Kaspar
K
J
Issue Let's encrypt for Plesk cannot be renewed status 500
Replies
1
Views
366
Sebahat.hadzhi
Sebahat.hadzhi
L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
373
Leta
L
D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
2K
Daiv
D
H
Issue Lets Encrypt Issue - Type: urn:ietf:params:acme:error:caa
Replies
2
Views
585
HerrMatze
H
Back
Top