Certbot standalone for mixed ipv4/ipv6 cert returning as malformed

I wish to create a single certificate that covers ipv4 & ipv6 endpoints as follows:

appello.care        resolves to both IPv4 + IPv6
www.appello.care    resolves to both IPv4 & IPv6
v4.appello.care     resolves to IPv4 only
v6.appello.care     resolves to IPv6 only             

My domain is:
appello.care

I ran this command: (tried with & without --test-cert)
certbot certonly --standalone -d appello.care,www.appello.care,v4.appello.care,v6.appello.care --test-cert

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for appello.care
tls-sni-01 challenge for www.appello.care
tls-sni-01 challenge for v4.appello.care
tls-sni-01 challenge for v6.appello.care
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. v6.appello.care (tls-sni-01): urn:acme:error:malformed :: The request message was malformed :: Unable to contact “v6.appello.care” at “2001:41d0:401:3100::26cf”, no IPv4 addresses to try as fallback

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: v6.appello.care
  Type: malformed
  Detail: Unable to contact “v6.appello.care” at
  "2001:41d0:401:3100::26cf", no IPv4 addresses to try as fallback

  To fix these errors, please make sure that you did not provide any
  invalid information to the client, and try running Certbot again.

My web server is (include version):
not relevant as running –standalone

The operating system my web server runs on is (include version):
CentOS7 - x86_64 - 7.3.1611

My hosting provider, if applicable, is:
OVH VPS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

It seems the problem is with the IPv6 access.

Just rerun with the same result, and tcpdump show the following: (only IPv6 - no IPv4 to be seen)

[root@appello ~]# tcpdump -ni eth0 port 80 or port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:18:14.488742 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [S], seq 2319369844, win 28800, options [mss 1440,sackOK,TS val 6455508 ecr 0,nop,wscale 7], length 0
22:18:14.495839 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [S.], seq 20023873, ack 2319369845, win 28560, options [mss 1440,sackOK,TS val 750313428 ecr 6455508,nop,wscale 5], length 0
22:18:14.495899 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 1, win 225, options [nop,nop,TS val 6455515 ecr 750313428], length 0
22:18:14.505202 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 1:279, ack 1, win 225, options [nop,nop,TS val 6455525 ecr 750313428], length 278
22:18:14.511959 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 279, win 926, options [nop,nop,TS val 750313444 ecr 6455525], length 0
22:18:14.512166 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 1:4097, ack 279, win 926, options [nop,nop,TS val 750313444 ecr 6455525], length 4096
22:18:14.512206 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 4097, win 289, options [nop,nop,TS val 6455532 ecr 750313444], length 0
22:18:14.514544 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], seq 4097:5525, ack 279, win 926, options [nop,nop,TS val 750313447 ecr 6455525], length 1428
22:18:14.514587 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 5525, win 312, options [nop,nop,TS val 6455534 ecr 750313447], length 0
22:18:14.518766 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 5525:5692, ack 279, win 926, options [nop,nop,TS val 750313451 ecr 6455532], length 167
22:18:14.518796 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 5692, win 334, options [nop,nop,TS val 6455538 ecr 750313451], length 0
22:18:14.521572 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 279:405, ack 5692, win 334, options [nop,nop,TS val 6455541 ecr 750313451], length 126
22:18:14.529231 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 5692:5950, ack 405, win 926, options [nop,nop,TS val 750313461 ecr 6455541], length 258
22:18:14.530255 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 405:710, ack 5950, win 356, options [nop,nop,TS val 6455550 ecr 750313461], length 305
22:18:14.576388 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 710, win 960, options [nop,nop,TS val 750313509 ecr 6455550], length 0
22:18:14.716744 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 5950:7002, ack 710, win 960, options [nop,nop,TS val 750313649 ecr 6455550], length 1052
22:18:14.721137 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 710:1021, ack 7002, win 379, options [nop,nop,TS val 6455741 ecr 750313649], length 311
22:18:14.727906 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 1021, win 993, options [nop,nop,TS val 750313660 ecr 6455741], length 0
22:18:14.909851 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 7002:7443, ack 1021, win 993, options [nop,nop,TS val 750313842 ecr 6455741], length 441
22:18:14.918721 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 1021:2459, ack 7443, win 401, options [nop,nop,TS val 6455938 ecr 750313842], length 1438
22:18:14.925489 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 2449, win 1083, options [nop,nop,TS val 750313858 ecr 6455938], length 0
22:18:14.925540 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 2459, win 1083, options [nop,nop,TS val 750313858 ecr 6455938], length 0
22:18:15.128766 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 7443:9432, ack 2459, win 1083, options [nop,nop,TS val 750314061 ecr 6455938], length 1989
22:18:15.128832 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 9432, win 432, options [nop,nop,TS val 6456148 ecr 750314061], length 0
22:18:15.128845 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 9432:9627, ack 2459, win 1083, options [nop,nop,TS val 750314061 ecr 6455938], length 195
22:18:15.136074 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 2459:3902, ack 9627, win 454, options [nop,nop,TS val 6456156 ecr 750314061], length 1443
22:18:15.142799 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 3887, win 1172, options [nop,nop,TS val 750314075 ecr 6456156], length 0
22:18:15.142856 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 3902, win 1172, options [nop,nop,TS val 750314075 ecr 6456156], length 0
22:18:15.336439 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 9627:11616, ack 3902, win 1172, options [nop,nop,TS val 750314268 ecr 6456156], length 1989
22:18:15.336569 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 11616, win 486, options [nop,nop,TS val 6456356 ecr 750314268], length 0
22:18:15.336589 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 11616:11819, ack 3902, win 1172, options [nop,nop,TS val 750314269 ecr 6456156], length 203
22:18:15.343802 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 3902:5344, ack 11819, win 508, options [nop,nop,TS val 6456363 ecr 750314269], length 1442
22:18:15.350464 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 5330, win 1261, options [nop,nop,TS val 750314283 ecr 6456363], length 0
22:18:15.350525 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 5344, win 1261, options [nop,nop,TS val 750314283 ecr 6456363], length 0
22:18:15.541805 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 11819:13808, ack 5344, win 1261, options [nop,nop,TS val 750314474 ecr 6456363], length 1989
22:18:15.541888 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 13808, win 539, options [nop,nop,TS val 6456561 ecr 750314474], length 0
22:18:15.541906 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 13808:13919, ack 5344, win 1261, options [nop,nop,TS val 750314474 ecr 6456363], length 111
22:18:15.551467 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 5344:6786, ack 13919, win 539, options [nop,nop,TS val 6456571 ecr 750314474], length 1442
22:18:15.558325 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 6772, win 1350, options [nop,nop,TS val 750314490 ecr 6456571], length 0
22:18:15.558387 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 6786, win 1350, options [nop,nop,TS val 750314490 ecr 6456571], length 0
22:18:15.764391 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 13919:15615, ack 6786, win 1350, options [nop,nop,TS val 750314696 ecr 6456571], length 1696
22:18:15.764489 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 15615, win 565, options [nop,nop,TS val 6456784 ecr 750314696], length 0
22:18:15.797224 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 6786:8366, ack 15615, win 565, options [nop,nop,TS val 6456817 ecr 750314696], length 1580
22:18:15.803905 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 8214, win 1440, options [nop,nop,TS val 750314736 ecr 6456817], length 0
22:18:15.803966 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 8366, win 1529, options [nop,nop,TS val 750314736 ecr 6456817], length 0
22:18:15.987589 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 15615:16930, ack 8366, win 1529, options [nop,nop,TS val 750314920 ecr 6456817], length 1315
22:18:15.994796 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 8366:9946, ack 16930, win 588, options [nop,nop,TS val 6457014 ecr 750314920], length 1580
22:18:16.001494 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 9794, win 1618, options [nop,nop,TS val 750314934 ecr 6457014], length 0
22:18:16.001552 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 9946, win 1707, options [nop,nop,TS val 750314934 ecr 6457014], length 0
22:18:16.224442 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 16930:18249, ack 9946, win 1707, options [nop,nop,TS val 750315157 ecr 6457014], length 1319
22:18:16.231909 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 9946:11526, ack 18249, win 610, options [nop,nop,TS val 6457251 ecr 750315157], length 1580
22:18:16.238680 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 11374, win 1797, options [nop,nop,TS val 750315171 ecr 6457251], length 0
22:18:16.238773 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 11526, win 1886, options [nop,nop,TS val 750315171 ecr 6457251], length 0
22:18:16.421016 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 18249:19489, ack 11526, win 1886, options [nop,nop,TS val 750315353 ecr 6457251], length 1240
22:18:16.427851 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 11526:13106, ack 19489, win 632, options [nop,nop,TS val 6457447 ecr 750315353], length 1580
22:18:16.434511 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 12954, win 1975, options [nop,nop,TS val 750315367 ecr 6457447], length 0
22:18:16.434565 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 13106, win 2064, options [nop,nop,TS val 750315367 ecr 6457447], length 0
22:18:16.605574 IP6 2600:3000:2710:300::1d.37884 > 2001:41d0:401:3100::26cf.https: Flags [S], seq 2925380792, win 28800, options [mss 1440,sackOK,TS val 3848484553 ecr 0,nop,wscale 7], length 0
22:18:16.605650 IP6 2001:41d0:401:3100::26cf.https > 2600:3000:2710:300::1d.37884: Flags [R.], seq 0, ack 2925380793, win 0, length 0
22:18:16.648091 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 19489:20503, ack 13106, win 2064, options [nop,nop,TS val 750315580 ecr 6457447], length 1014
22:18:16.688015 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 20503, win 655, options [nop,nop,TS val 6457708 ecr 750315580], length 0
22:18:19.654146 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 13106:13456, ack 20503, win 655, options [nop,nop,TS val 6460674 ecr 750315580], length 350
22:18:19.660779 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 13456, win 2154, options [nop,nop,TS val 750318593 ecr 6460674], length 0
22:18:19.847336 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 20503:22492, ack 13456, win 2154, options [nop,nop,TS val 750318779 ecr 6460674], length 1989
22:18:19.847403 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 22492, win 686, options [nop,nop,TS val 6460867 ecr 750318779], length 0
22:18:19.847417 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 22492:22547, ack 13456, win 2154, options [nop,nop,TS val 750318779 ecr 6460674], length 55
22:18:19.847426 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 22547, win 686, options [nop,nop,TS val 6460867 ecr 750318779], length 0
22:18:19.850368 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 13456:13806, ack 22547, win 686, options [nop,nop,TS val 6460870 ecr 750318779], length 350
22:18:19.856971 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 13806, win 2243, options [nop,nop,TS val 750318789 ecr 6460870], length 0
22:18:20.041925 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 22547:24536, ack 13806, win 2243, options [nop,nop,TS val 750318974 ecr 6460870], length 1989
22:18:20.041985 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 24536, win 717, options [nop,nop,TS val 6461061 ecr 750318974], length 0
22:18:20.041999 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 24536:24599, ack 13806, win 2243, options [nop,nop,TS val 750318974 ecr 6460870], length 63
22:18:20.044797 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 13806:14156, ack 24599, win 717, options [nop,nop,TS val 6461064 ecr 750318974], length 350
22:18:20.051409 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 14156, win 2332, options [nop,nop,TS val 750318984 ecr 6461064], length 0
22:18:20.235173 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 24599:26530, ack 14156, win 2332, options [nop,nop,TS val 750319167 ecr 6461064], length 1931
22:18:20.235237 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 26530, win 747, options [nop,nop,TS val 6461255 ecr 750319167], length 0
22:18:20.238158 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [P.], seq 14156:14506, ack 26530, win 747, options [nop,nop,TS val 6461258 ecr 750319167], length 350
22:18:20.244805 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [.], ack 14506, win 2421, options [nop,nop,TS val 750319177 ecr 6461258], length 0
22:18:20.427275 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 26530:28519, ack 14506, win 2421, options [nop,nop,TS val 750319359 ecr 6461258], length 1989
22:18:20.427355 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 28519, win 778, options [nop,nop,TS val 6461447 ecr 750319359], length 0
22:18:20.427371 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 28519:28785, ack 14506, win 2421, options [nop,nop,TS val 750319359 ecr 6461258], length 266
22:18:20.467042 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [.], ack 28785, win 800, options [nop,nop,TS val 6461487 ecr 750319359], length 0
22:18:20.823437 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [F.], seq 14506, ack 28785, win 800, options [nop,nop,TS val 6461843 ecr 750319359], length 0
22:18:20.830243 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [P.], seq 28785:28816, ack 14507, win 2421, options [nop,nop,TS val 750319762 ecr 6461843], length 31
22:18:20.830304 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [R], seq 2319384351, win 0, length 0
22:18:20.830317 IP6 2a02:26f0:2d:19b::3d5.https > 2001:41d0:401:3100::26cf.59924: Flags [F.], seq 28816, ack 14507, win 2421, options [nop,nop,TS val 750319762 ecr 6461843], length 0
22:18:20.830326 IP6 2001:41d0:401:3100::26cf.59924 > 2a02:26f0:2d:19b::3d5.https: Flags [R], seq 2319384351, win 0, length 0
^C
87 packets captured
87 packets received by filter
0 packets dropped by kernel
[root@appello ~]# 

Unsure what you mean by show the vhost

However, I just reduced the command to:
certbot certonly --standalone -d v6.appello.care --test-cert
… with the same result, so mixing IPv4+IPv6 is not the issue.

This is a fresh CentOS7 install, fully patched running certbot 0.14.1.3.el7 yum-installed from epel

sorry, mixing threads…

Try running each domain independently.
which ones pass?
which ones fail?

Also check for any interferrence:
netstat -nap tcp |grep 80
netstat -nap tcp |grep 443

I can successfully request the IPv4 names together:
certbot certonly --standalone -d appello.care,www.appello.care,v4.appello.care --test-cert
But, even with the IPv6 name alone it always fails as malformed:
certbot certonly --standalone -d v6.appello.care --test-cert

This suggests certbot certonly --standalone support for IPv6 is broken

[root@appello ~]# netstat -pant | grep 80
[root@appello ~]# netstat -pant | grep 443
[root@appello ~]# 

or there is a IPv6 problem/interference in your setup…

show:
netstat -na|grep -i listen|grep tcp

[root@appello ~]# netstat -na|grep -i listen|grep tcp
tcp        0      0 149.202.48.122:53       0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp6       0      0 :::53                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
[root@appello ~]# 

so this may be true but we haven't yet proven it (beyond a doubt)

are you up for (temporarily) installing Apache or NGINX ?

I suppose so, I can always cleanup with a fresh install if necessary.

Since your taking such a positive interest, I don’t mind adding your SSH public key for you to look for your self.

I would prefer not to touch your system and just assist with a kind of “step by step” test.

ok, I’ll look at apache and get back to you

yum install httpd
echo world >/var/www/html/hello.txt
service start httpd

http://appello.care/hello.txt => world

certbot certonly --webroot -w /var/www/html -d v6.appello.care --test-cert

SUCCESS - great

[root@appello html]# netstat -na|grep -i listen|grep tcp
tcp        0      0 149.202.48.122:53       0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 :::53                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
[root@appello html]# 

I stopped apache and tried using --no-redirect and it worked. However, now it also works without the --no-redirect.

I’m confused. It seems that having once created a cert for v6.appello.care and then deleted it, now the original 4-name request succeeds.

Is there a chicken/egg scenario where --standalone defaults to using the HTTPS protocol, but has no existing certificate to present to the ACME servers, causing the process to fail?

Sigh!, even using --no-redirect I now seem to be in a situation where the original 4-name request using --test-cert reliably succeeds, but without --test-cert it fails as before.

Hmm!, it appears that the ACME servers remember that my name and IP addresses matched a short while ago, so there is no reverification. So, the --test-cert is succeeding because it recently succeeded when we used apache. But I never used apache with the live ACME servers, so that continues to fail.

DISCOVERY:
With the following netstat-grep looking for port80 listenings:
while true; do netstat -pant | grep 80; done

… I ran this --standalone with forced HTTP:
certbot certonly --standalone --preferred-challenges http -d appello.care,www.appello.care,v4.appello.care,v6.appello.care

The output from the netstat-grep contained no IPv6 listeners, only IPv4 listeners.

This seems to be a bug !

The Certbot version you're running (0.14.1.3.el7) doesn't support IPv6 in standalone mode

You can see support for that feature was added in version 0.15.0:

IPv6 support in the standalone plugin. When performing a challenge, the standalone plugin automatically handles listening for IPv4/IPv6 traffic based on the configuration of your system.

That's also why switching to using Apache/Webroot worked - Apache knows how to listen on IPv6

Can you try upgrading your Certbot installation and seeing if webroot still fails?

When will 0.15.0 arrive on epel ?

I'm not sure. @bmw @schoen Do you know who packages Certbot for EPEL? Can you advise on the best way to get a newer version of Certbot on CentOS7?

If you're willing to go outside of the OS package manager, you can use the self-updating version:

https://letsencrypt.readthedocs.io/en/latest/install.html#certbot-auto

As this is a production server, I’m not sure that’s the correct move.

I haven't dealt with the packagers myself, but the EPEL packager seems to be James Hogarth, who has the Fedora username jhogarth. I saw that the Fedora page about the Certbot package included an automated notification about the existence of our newer upstream releases, so I assume that the packagers (or James) know that upstream has had subsequent releases and I don't know what the downstream policy is about when to ship those.

I appreciate your caution about that. One in-between option I can offer you is that if you always run certbot-auto with the --no-self-upgrade option, it will not upgrade itself (or, I believe, its virtualenv-installed dependencies) beyond the version that you initially downloaded. So if you got certbot-auto today and consistently always ran with --no-self-auto, you should not expect breakages to be introduced due to later autoupdates.

The non-OS-packaged dependencies that it downloads also go into a virtualenv in the user's or root's home directories and so you would not be overwriting stuff in /usr with something sources other than from official OS packages. You would also not be modifying your OS-provided certbot (indeed, certbot-auto is always run as certbot-auto rather than as certbot, with the command-line options otherwise being the same).

However, certbot-auto is definitely not the right solution for everybody or for all environments.