Certbot renewal http-01 challenge - Cannot Connect Due to IPV6 Configurations

Hello i have a ubuntu 16.04 with nginx
i have “configure” the nginx server blocks

i can curl www.domain.com domain.com which 301 to https://domain.com
if i curl http://www.domain.com/.well-known/index.html i get 200 status for the contect of the index.html file i have add in the directory, also for http://domain.com/.well-known/index.html

But when i try to create cert or renewal i get connect error for www.domain.com
certbot certonly --webroot --webroot-path=/var/www/domain.com/htdocs -d domain.com -d www.domain.com

server block
server {
listen 80;
server_name www.domain.com domain.com;
location / {
return 301 https://domain.com$request_uri;
location /.well-known {
root /var/www/domain.com/htdocs/;

Hi @immunity,

If you provide your real domain it should be easier to help you.

Is your domain pointing to ipv4 and ipv6 addresses?.


www.starenio.gr and starenio.gr

www IN A
www IN AAAA 2a01:4f8:c0c:fa1::

Hi @immunity,

Remove the AAAA record for www.starenio.gr from your DNS server and try again. The other option is to configure the ipv6 address for your domain and the web server correctly to serve your domain using ipv6 too.

Note: 2a01:4f8:c0c:fa1:: is not a valid ipv6 address, is the subnet 2a01:4f8:c0c:fa1::/64 assigned to you by Hetzner.


1 Like

ok i will try to remove the record (it will need some time till the letsencrypt refresh their dns right ?)

do i have a ipv6 ? :smiley: or just v4 and if i want to use ipv6 i will have to buy a ipv6 assigned by hetzner

Let's Encrypt try to reach your DNS server every time to check what your records are but doesn't cache them, well it does some cache but as far as I know, only 30 or 60 minutes. Indeed if you remove the AAAA record, you can wait 5 minutes and try again.

I supposed that if you used that subnet is because it is the one assigned to you. If you have a dedicated server yes, you should have a /64 subnet assigned to you at no cost (you can check it from the robot web page -> Servers -> Select your server -> IPs tab and you will see the assigned subnet).

Hello Sahsanu, i there was missing a 2 at the end of ipv6
i correct it and now certification completed with success for both non-www and www domain

thank you very much everything works fine now :slight_smile:

1 Like

@immunity, I’m glad you finally got your certificate… and enjoy your 18,446,744,073,709,551,616 ipv6 addresses :wink:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.