Certbot tries the challenge over IPv6 when available


#1

Just a PSA, and perhaps a request to make the error message a bit more helpful, I’ve concluded (hopefully correctly) that if an AAAA record is available for the domain, you are requesting (or in my case renewing) a cert for, it will try the challenge over ipv6. However, if the challenge fails, the error message only mentions an A record. This put me on a wild goose chase. In the end it turned out to be an ipv6 configuration error.

I was trying to renew my certificate and got this error:


   Domain: dmc.covle.com
   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   [26Hno7hRKeNJjD-uHc4q4Qh-RRBS5cVuvopcaxUQ1hg.z6QCPIu03BH-PbRvQ0WB7ORCk1fiV6ItK6tOSPzfgag]
   != [<h1>Bessyyy</h1>
   working]

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

The response was from a different domain on the same server. This confused me immensely, but after a bunch of testing I realized I hadn’t told nginx to listen on ipv6 for this domain. After I fixed that the renew worked perfectly.

I conclude from this that if your A record points to the right server, but your AAAA record does not, letsencrypt will fail the challenge. The error message should reflect that. (The fact that I misconfigured ipv6 was the equivalent of having my AAAA record point somewhere else.)

Hopefully it helps someone!


#2

Do people think it would be more helpful to users overall if this message in Certbot said “A or AAAA records”?

The Certbot team is actually trying to move away from having Certbot itself provide advice about how to debug failed challenges (like this text), in favor of a link to a web page that provides very detailed advice about why challenges may have failed to validate. So adding text here is probably not what we would most prefer to do. Rather, we might want to remove this entire message and send people to a to-be-written page that discusses possible reasons in great detail. That page could of course also mention AAAA records.


#3

My troubleshooting would’ve been greatly shortened if there was some hint of AAAA records.

And the idea of a link to a more advanced guide would be even more excellent. I think that would greatly improve the usability.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.