Since we are renting some dedicated servers that cannot have any reverse ipv6 dns possible so is there a way to force certbot to start a standalone in ipv4?
thanks
1 Like
What do you mean you don't have reverse IPv6? Let's Encrypt is not concerned with reverse DNS records.
If you cannot query or serve stuff over IPv6, remove the AAAA record. Otherwise, certbot will work just fine on IPv6.
2 Likes
(NB: you can actually make certbot listen on IPv4 only, but that will do you no good, because as long as the validation server sees an AAAA record, it will connect over IPv6 and I'm not sure if it tries IPv4 on failure -- probably not.)
1 Like
Sometimes it does, sometimes it doesn't. I'm not sure when which scenario plays out.
Anyway, you can probably use the --http-01-address option to force Certbot to a specific IPv4 IP address. If you do, it probably won't bind to the IPv6 address.
3 Likes
I was thinking of that option, yes. Only ever useful when putting certbot behind a reverse proxy, I think.
1 Like
Here are the LE docs on IPv6 / IPv4 retry
But, like Osiris, I am not exactly clear on real-world behavior. I created timeouts with my firewall but got odd results. I did not pursue in earnest to understand why.
2 Likes
ok I found indeed the option --http-01-address xxx.xxx.xxx.xxx but as said above, sometimes it keeps ipv4, sometimes not as answer.... More, my bind dns is managing anycast so I think I must find a trick with NFS to have a common folder on all servers, or if one of you has a better idea I will be glad to know it.
If http-01 is too hard you can always use dns-01 validation, I mean.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.