• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Letsencrypt SSL problem for hosting type alias domains

nisamudeen97

Regular Pleskian
Hi,

I am getting the below error for main domain while trying to add SSL for my alias domain. My problem is i need to get redirection work when ever https is called for my domain. Currently I am getting https warning.

let me explain

1. Domain.com real domain
2. Domain-alias.com the domain name to which domain.com forwards to

when ever I try to configure ssl for domain.com i get the below error.


Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/iEmkJZA84JSVgdXEpUf658XtpoNr0nzwwC6mQj7AmuM.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching Website Domains Names & Hosting | Domain.com: Timeout during connect (likely firewall problem)
 
This error basically says that the Let's Encrypt servers are unable to connect to your domain to retrieve the Let's Encrypt validation token.

Check the following things:
1) Does your domain resolve to the correct IP address? Both with and without www. ?
2) Does your firewall permit connections to ports 80 and 443 from the outside world?
 
Hi,

1. Already checked and it resolves as needed. Both with and without www
2. Yes I have firewall and it is allowing to connect to port 80 and 443 from outside
 
Hi,

Thx for the clarification. I was trying to install SSL for multi alias domains. Ie there was a list of 28 domains and 4th one in the list had missing DNS for www and hence everything from 4 to 28 was getting failed. So what I understand is if in a list one fails all below will fail.


Issue is solved.
 
I have the same problem, with new or renew SSL with the Plesk Extention on 2 Servers.

Timeout during connect (likely firewall problem) ???????

This mistake is only recently - can this a bug since the last version ?!?!


With and without Firewall - ports are allways open...
DIG resolvt the correct IP...


I'm almost crazy - What else can I test?

Thank you for your help.
 
Last edited:
Welcome to the broken world of LetsEncrypt

We have dozens of servers, where we experience the very same problem since a couple weeks.
It's not Plesk directly that's to blame, as we do also run standalone Windows servers with handwritten scripts and tools (for requesting and renewing LetsEncrypt certificates) were we have these errors.

These happen when the original validation requests by LetsEncypt gets redirected (301 or 302) to a different URL. In these cases the validation often fails and will result in this "Timeout during connect" error.
In case of Plesk, it's unfortunately the defacto standard to have all these validation requests redirected. (due to https and primary domain enforcement on the website itself)


What we have observed so far, is that the validation of an url/domain will succeed if you try it a second time.
So, just try to manually renew this certificate in the Plesk panel again and it should work.
Of course, if you have multiple alias domains on that website, you may need to do that many times......


So far we did not find a solution, well except getting rid of http 301/302 redirection for the validation of LetsEncypt when using the http-01 method..
Unfortunately this would be something that needs to be changed by Plesk.

I was never a fan of the current implementation, where the validation (.well-known/acme-challange) is placed on the website itself.
This just asks for troubles due to redirects and rewrites created by customers and you have no control over.

It would be way better to intercept the .well-known/acme-challange requests on a global scale with an nginx configuration snippet like this in every vhost
Code:
location /.well-known/acme-challenge/ {
        root /opt/letsencrypt/acme-challenge;
}
 
STOP - our server was not IPv6 ready :( This was my mistake :oops:

I added the following lines in /etc/sysconfig/network-scripts/ifcfg-eth0

+> IPV6ADDR=2a01:238:43be:bc00::2/64
+> IPV6_DEFAULTGW=fe80::1
+> IPV6_DEFAULTDEV=eth0

For what is the "IPV6ADDR_SECONDARIES=" line?

And now IPv6 and Let´s Encrypte ready

Thank You
 
Back
Top