Certificate renew fail if IPv6 is enabled

horizn · April 28, 2019, 9:46pm

I have Nginx reverse proxy (IPv4 only) pointing to server in local network which has dual IPv4 and IPv6 (public) stack. For some reason when I run Certbot renew on my Nginx reverse proxy box it is trying to use IPv6 address and obviously fails as Certbot command was not invoked from that server. Why Certbot prefer IPv6 and not falling back to IPv4 causing renewal process impossible?
Even if I delete all data referring to that domain/cert I can’t obtain new cert:

# certbot certonly --standalone -d domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://domain.com/login [2001:xxx:xx:xxx::x]: "<!DOCTYPE html>\n<html class=\"ng-csp\" data-placeholder-focus=\"false\" lang=\"en\" data-locale=\"en\" >\n\t<head\n data-requesttoken=\"C9B3"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.com
   Type:   unauthorized
   Detail: Invalid response from https://domain.com/login
   [2001:xxx:xx:xxx::x]: "<!DOCTYPE html>\n<html class=\"ng-csp\"
   data-placeholder-focus=\"false\" lang=\"en\" data-locale=\"en\"
   >\n\t<head\n data-requesttoken=\"C9B3"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

JuergenAuer · April 28, 2019, 9:57pm

Hi @horizn

please answer the following questions. That's the standard template from Help

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

orangepizza · April 28, 2019, 10:00pm

Remove AAAA record from your domain if your proxy doesn’t support it. having AAAA record points to something else means anybody with ipv6 address will bypass reverse proxy and don’t see certificates

horizn · April 28, 2019, 10:17pm

Yes, will bypass Nginx IPv4 only proxy and point directly to IPv6 server. Certificates are already there, copied from reverse proxy box. Can’t see the problem here. The only problem is this fantastic feature of forcing IPv6 as preferred during the renewal without option of forcing IPv4.

horizn · April 28, 2019, 10:23pm

My domain is: ANY. It is not domain issue but, Certbot forcing IPv6 without giving IPv4 as an option.

I ran this command: certbot renew, certbot certonly --standalone -d domain

It produced this output: as above.

My web server is (include version): Nginx 1.10.3 (Debian default) on IPv4 proxy, Apache 2.4.39 on target.

The operating system my web server runs on is (include version): Debian 9 and Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.23.0 on Ubuntu, 0.28.0 on Debian.

horizn · April 28, 2019, 10:27pm

Problem solved by implementing workaround:

Certbot is now running on dual stack box and then copy cert files to IPv4 reverse proxy box.
Restart Apache and Nginx.
All works.

Anyone who decided Certbot to behave in this way is genius

JuergenAuer · April 28, 2019, 10:35pm

I don't see a problem.

If a website has an AAAA record, the configuration should work. If it doesn't work, perhaps the route is hacked.

A fallback isn't an option. A hacker could block ipv6 traffic and change the ipv4 route.

PS: It's not a Certbot feature, it's a Letsencrypt decision.

horizn · April 29, 2019, 7:47am

Try to imagine situation, where IPv4 traffic is going through the reverse proxy whilst IPv6 is going directly. If hacker will gain an access on that level, then he/she will do whatever he or she want. If it is security feature, so why it is trying talk to IPv6 address while original request came from IPv4 box? There is no logic here. But I of course really appreciate your help and explanation.

JuergenAuer · April 29, 2019, 8:53am

That's true if your internal network is hacked. But then it's not relevant.

The problem is the route hacking, outside of your network. That's easier with ipv4.

Ipv4 is used with a lot of "additional accessories" like NAT. With ipv6 such things aren't relevant.

If you want a certificate, your dns settings are relevant. Not the client you start the order.

You can run a client on another server / pc to create a certificate with dns-01 validation.

system · May 29, 2019, 8:53am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.