Certbot trying a challenge to old IPv6 instead of new IPv4

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: observalgerie.com

I ran this command: certbot --apache

It produced this output:

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: observalgerie.com
  Type:   unauthorized
  Detail: Invalid response from http://observalgerie.com/.well-known/acme-challenge/Anv0rFQaCLrLf5hP5jLOedb-06xizMsMbDebDVRYa5k [2a02:4780:8:433:0:2779:5bb6:1]: "<!DOCTYPE html>\n<html lang=\"en-us\" prefix=\"content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf:"

My web server is (include version):

Server version: Apache/2.4.46 (Ubuntu)
Server built:   2021-06-17T17:09:41

The operating system my web server runs on is (include version): Ubuntu 21.04

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.17.0

We are changing servers, so we have pointed the A value to the new IP and removed AAAA, since we're not using IPv6 on the new server. However, Certbot is trying a challenge with the old IPv6. Hence failing.

Unfortunately, for some reason it still exists currenty:

observalgerie.com.	60	IN	AAAA	2001:41d0:403:3e52::64
;; Received 74 bytes from 2400:cb00:2049:1::a29f:18c9#53(ns1.dns-parking.com) in 186 ms

An AAAA record is still being returned for the domain from your authoritative NS records and I believe the validators will prioritize AAAA records over A records when doing validations.

>dig +noall +answer observalgerie.com aaaa @ns1.dns-parking.com
observalgerie.com.      60      IN      AAAA    2001:41d0:403:3e52::64

>dig +noall +answer observalgerie.com aaaa @ns2.dns-parking.com
observalgerie.com.      60      IN      AAAA    2001:41d0:403:3e52::64

>dig +noall +answer observalgerie.com a @ns1.dns-parking.com
observalgerie.com.      60      IN      A       135.125.4.82

>dig +noall +answer observalgerie.com a @ns2.dns-parking.com
observalgerie.com.      60      IN      A       135.125.4.82

You might want to double check that the AAAA record was actually removed.

Yes, your dig command return an updated IPv6 address (that we placed in AAAA earlier, before removing it). However, certbot is still trying with the old IPv6 (starts with 2a02). As long as that IP isn't updated for certbot, we won't be able to migrate the website.

certbot is an ACME client.
ACME clients speak with LE.
LE resolves the domain to an IP and connects to that IP to validate the request.

The IP LE uses is what is found in your authoritative DNS servers.
That said, it also prefers IPv6 over IPv4 (when available).

Where do you see a different IPv6 number?

Here, in the Certbot answer.

Shouldn't it show the IPv4 there?

Why LE still uses your old IPv6 address could be due to propogation time for your DNS servers and the small time of caching LE does at their own servers. Not sure how long DNS results are cached, but it's not long.

Public Global Internet DNS systems show different IPv6 results:

dig +noall +answer observalgerie.com aaaa @8.8.8.8
observalgerie.com.      59      IN      AAAA    2001:41d0:403:3e52::64

dig +noall +answer observalgerie.com aaaa @1.0.0.1
observalgerie.com.      3440    IN      AAAA    2a02:4780:8:433:0:2779:5bb6:1

It finally used the updated address. Thank you all for your answers. We just needed to wait longer.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.