Certbot, force IPv4?


Is there a way to force certbot to use only IPv4 for renewals?
I have a setup in which the domain is hosted on an IPv6-only VPS, renewal for this works fine. For IPv4 the domain is shared with others and NGINX is used as a reverse proxy, here is where it fails. Trying to renew the certificate make let’s encrypt try to find the information on the IPv6 host.


Hi @Hermanverschooten

not directly.

You can

  • remove the ipv6 entry
  • add a redirect ipv6 domain -> other domain (or new subdomain) only with ipv4 on your ipv4 config and use that. Letsencrypt follows such redirects (port 80 or 443)

Hi @JuergenAuer
Thanks for the speedy reply, but sadly that is not an option, too many other parts use only the IPv6 and they too need the security. If only you could supply a -4 option to tell let’s encrypt to ignore the IPv6 and use the IPv4 DNS-entry. It would not compromise security and boy, I think it would make life easier for a lot of admins.

Isn’t it possible to copy the certificate?

Ipv6 server backup -> copy it to your ipv4 configuration.

It’s not required to create two different certificates, you can use the same certificate with multiples servers.

It would. Ipv6 has additional features. There exists no NAT translation. So such a switch could be one “critical step” that a hacker is able to create a certificate. Sample: A hacker who controls the router, but not the correct domain.

1 Like

I think Let’s Encrypt have previously stated that they are opposed to adding any flags like this, as it can only give potential attackers more tools to work with.

I think that @JuergenAuer’s suggestion is on the right line of thinking. What stops you just adding a special IPv4-only host on your nginx to direct the request to the IPv6 server?

# On your IPv4 server
server {
    server_name example.com;
    location / {
        return 404;
    location ~ ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$ {
        return 302 http://[2001:db8::1]/.well-known/acme-challenge/$1;
1 Like

IP address URLs aren't allowed, so it would have to be http://ipv6-only-hostname.example.org/, but

1 Like

The issue is the other way around, the IPv6 needs to forward to the IPv4.
I think I may be able to do this.

I managed to get it working.

On the IPv6 host, check to see if the file exists, if not reverse-proxy to the IPv4 host.
On the IPv4 host use certbot certonly --webroot and make sure your webserver serves up /.well-known/acme-challenge from the --webroot-path you give certbot.

You cannot use the nginx plugin, because it creates a temporary config that will listen on the IPv6 certbot wants to check.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.