Certbot - IPV6 Not Configured and Challenges Fail (IPV6 Preferred)


#1

Hi, i’ve been using dehydrated to keep my certs updated since pretty much day 1, and it’s been worked flawless, but since a couple of days ago i’m having an issue with updating a cert that’s about to expire soon:

Processing pokemap.berlin with alternative names: www.pokemap.berlin dev.pokemap.berlin
 + Checking domain name(s) of existing cert... changed!
 + Domain name(s) are not matching!
 + Names in old certificate: dev.pokemap.berlin pmg.faked.org pokemap.berlin www.pokemap.berlin
 + Configured names: dev.pokemap.berlin pokemap.berlin www.pokemap.berlin
 + Forcing renew.
 + Checking expire date of existing cert...
 + Valid till Jun 14 22:01:00 2017 GMT Certificate will expire
(Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for pokemap.berlin...
 + Requesting challenge for www.pokemap.berlin...
 + Requesting challenge for dev.pokemap.berlin...
 + Responding to challenge for pokemap.berlin...
 + Responding to challenge for www.pokemap.berlin...
 + Responding to challenge for dev.pokemap.berlin...
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "Could not connect to dev.pokemap.berlin",
    "status": 400
  },
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/aL5EsF2NuL8zBQHzgBw8qFxKFmnrlt91RdfNxm30lAk/1210320188",
  "token": "MQyfKns3ATGGPMS-pKSieBlrWpjE86FIj2pnuYcAFfo",
  "keyAuthorization": "MQyfKns3ATGGPMS-pKSieBlrWpjE86FIj2pnuYcAFfo.ymn7rrjFsLBQUTzWYgdoacDjsIe-B36saKrAYkAh2Tk",
  "validationRecord": [
    {
      "url": "http://dev.pokemap.berlin/.well-known/acme-challenge/MQyfKns3ATGGPMS-pKSieBlrWpjE86FIj2pnuYcAFfo",
      "hostname": "dev.pokemap.berlin",
      "port": "80",
      "addressesResolved": [
        "87.128.111.190",
        "2003:a:37f:ef4f::"
      ],
      "addressUsed": "2003:a:37f:ef4f::",
      "addressesTried": []
    }
  ]
})

The challenge is definitely accessible, i have a text file in the shared challenges folder that i use for testing if the vHosts are configured correctly: https://dev.pokemap.berlin/.well-known/acme-challenge/access.txt

I can’t figure out why this would throw a connection error, and i also can’t see any requests in my logs that responded with a status code 400.


#2

From where i am, i can access http://dev.pokemap.berlin/ over IPv4, but not IPv6.

For dual-stack sites, Let’s Encrypt used to prefer to validate over IPv4, but it was recently changed to prefer IPv6.

You need to see what’s going on with that site’s IPv6 connectivity, or remove the AAAA record.

(Or switch to DNS-01 validation.)


Certbot - IPV6 Address on Domain Misconfigured and Challenges Fail (Prefer IPV6)
#3

Ah, that would explain it! My outgoing IPv6 still works fine, i’ll check why the incoming stopped working.

Thanks!


#4

Hi @jangrewe,

Apologies for the issuance problems!

As @mnordhoff mentioned we recently changed to preferring IPv6 for dual-homed hosts, but the implementation is meant to fall back to IPv4 if the IPv6 connection doesn’t work. You’re not the first person to notice this doesn’t seem to happen but I haven’t been able to reproduce the problem yet. It would be really helpful if you could add some details to https://github.com/letsencrypt/boulder/issues/2770 - particularly about the “kind of broken” your IPv6 connectivity ends up being (e.g. was there nothing listening on the v6 interface? was there a firewall rule dropping v6 inbound? Did it timeout? etc).

Thanks!


#5

Thanks @cpu, i’ve added my details to that issue.
The actual reason was that my ISP decided to, for whatever reason, not properly route that specific IPv6 to my server anymore. I moved to a different IPv6, updated the AAAA record, now it’s working fine again.


#6

A post was split to a new topic: Prefer IPv4 for validation when ACME client requests are IPv4


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.