• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Letsencrypt SSL problem for hosting type alias domains

nisamudeen97

nisamudeen97

Regular Pleskian
Hi,

I am getting the below error for main domain while trying to add SSL for my alias domain. My problem is i need to get redirection work when ever https is called for my domain. Currently I am getting https warning.

let me explain

1. Domain.com real domain
2. Domain-alias.com the domain name to which domain.com forwards to

when ever I try to configure ssl for domain.com i get the below error.


Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/iEmkJZA84JSVgdXEpUf658XtpoNr0nzwwC6mQj7AmuM.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching Website Domains Names & Hosting | Domain.com: Timeout during connect (likely firewall problem)
 
This error basically says that the Let's Encrypt servers are unable to connect to your domain to retrieve the Let's Encrypt validation token.

Check the following things:
1) Does your domain resolve to the correct IP address? Both with and without www. ?
2) Does your firewall permit connections to ports 80 and 443 from the outside world?
 
Hi,

1. Already checked and it resolves as needed. Both with and without www
2. Yes I have firewall and it is allowing to connect to port 80 and 443 from outside
 
Hi,

Thx for the clarification. I was trying to install SSL for multi alias domains. Ie there was a list of 28 domains and 4th one in the list had missing DNS for www and hence everything from 4 to 28 was getting failed. So what I understand is if in a list one fails all below will fail.


Issue is solved.
 
I have the same problem, with new or renew SSL with the Plesk Extention on 2 Servers.

Timeout during connect (likely firewall problem) ???????

This mistake is only recently - can this a bug since the last version ?!?!


With and without Firewall - ports are allways open...
DIG resolvt the correct IP...


I'm almost crazy - What else can I test?

Thank you for your help.
 
Last edited:
Welcome to the broken world of LetsEncrypt

We have dozens of servers, where we experience the very same problem since a couple weeks.
It's not Plesk directly that's to blame, as we do also run standalone Windows servers with handwritten scripts and tools (for requesting and renewing LetsEncrypt certificates) were we have these errors.

These happen when the original validation requests by LetsEncypt gets redirected (301 or 302) to a different URL. In these cases the validation often fails and will result in this "Timeout during connect" error.
In case of Plesk, it's unfortunately the defacto standard to have all these validation requests redirected. (due to https and primary domain enforcement on the website itself)


What we have observed so far, is that the validation of an url/domain will succeed if you try it a second time.
So, just try to manually renew this certificate in the Plesk panel again and it should work.
Of course, if you have multiple alias domains on that website, you may need to do that many times......


So far we did not find a solution, well except getting rid of http 301/302 redirection for the validation of LetsEncypt when using the http-01 method..
Unfortunately this would be something that needs to be changed by Plesk.

I was never a fan of the current implementation, where the validation (.well-known/acme-challange) is placed on the website itself.
This just asks for troubles due to redirects and rewrites created by customers and you have no control over.

It would be way better to intercept the .well-known/acme-challange requests on a global scale with an nginx configuration snippet like this in every vhost
Code: 
location /.well-known/acme-challenge/ {
        root /opt/letsencrypt/acme-challenge;
}
 
STOP - our server was not IPv6 ready :( This was my mistake :oops:

I added the following lines in /etc/sysconfig/network-scripts/ifcfg-eth0

+> IPV6ADDR=2a01:238:43be:bc00::2/64
+> IPV6_DEFAULTGW=fe80::1
+> IPV6_DEFAULTDEV=eth0

For what is the "IPV6ADDR_SECONDARIES=" line?

And now IPv6 and Let´s Encrypte ready

Thank You
 
You must log in or register to reply here.

Similar threads

D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
382
Daiv
D
Nextgen-Networks
Issue Lets Encrypt - error in certificate renew process
2
Replies
21
Views
2K
Peter Debik
P
W
Issue Trying in issue SSL for domain name
Replies
1
Views
631
Peter Debik
P
M
Issue plesk server certificate does NOT include an ID which matches the server name
Replies
9
Views
2K
learning_curve
learning_curve
D
Issue Automatic renewal via SSLit doesn't work for wildcard certificates
Replies
0
Views
506
D3nnis3n
D
Back
Top