Certbot - Not able to verify Domain due to IPV6 Records

I’ve been using the same command for months (or years?). When trying to renew this time, it gives an error on nearly all domains. Certbot tells me:

Failed authorization procedure. lucgommans.nl (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to lucgommans.nl

However, I can see in the access logs: - - [25/May/2017:11:18:07 +0200] lucgommans.nl “GET /.well-known/acme-challenge/aTGh[…]Oa2s HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

It returned status code 200, so the validator connected and was able to retrieve the file.

A few days ago I heard something about an outage and wrote it off as being due to the outage. Now the renewal deadline is getting pressing. What could be going wrong here?

Hi @Luc,

Take a look to this announcement https://community.letsencrypt.org/t/preferring-ipv6-for-challenge-validation-of-dual-homed-hosts/347741

As a resume, your domain has 2 ips, one for ipv4 and one for ipv6. You are answering on ipv4 address but not on ipv6 address. In this situation Let’s Encrypt should fallback to ipv4.

$ curl -IkL4 lucgommans.nl
HTTP/1.1 200 OK
Date: Thu, 25 May 2017 12:46:10 GMT
Server: Apache
Content-Type: text/html

$ curl -IkL6 lucgommans.nl
curl: (7) Failed to connect to lucgommans.nl port 80: Permission denied

@cpu, could you please take a look to this issue?.

@Luc, meanwhile you could remove the AAAA DNS record from your domain if you are not using it and check again to issue or renew your cert.


There are some other threads about this particular question, and I don’t think that the CA folks have exactly the same intuition about that. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.