Force certbot standalone to ipv4 rather than ipv6

Since we are renting some dedicated servers that cannot have any reverse ipv6 dns possible so is there a way to force certbot to start a standalone in ipv4?

thanks

1 Like

What do you mean you don't have reverse IPv6? Let's Encrypt is not concerned with reverse DNS records.

If you cannot query or serve stuff over IPv6, remove the AAAA record. Otherwise, certbot will work just fine on IPv6.

2 Likes

(NB: you can actually make certbot listen on IPv4 only, but that will do you no good, because as long as the validation server sees an AAAA record, it will connect over IPv6 and I'm not sure if it tries IPv4 on failure -- probably not.)

1 Like

Sometimes it does, sometimes it doesn't. I'm not sure when which scenario plays out.

Anyway, you can probably use the --http-01-address option to force Certbot to a specific IPv4 IP address. If you do, it probably won't bind to the IPv6 address.

3 Likes

I was thinking of that option, yes. Only ever useful when putting certbot behind a reverse proxy, I think.

1 Like

Here are the LE docs on IPv6 / IPv4 retry

But, like Osiris, I am not exactly clear on real-world behavior. I created timeouts with my firewall but got odd results. I did not pursue in earnest to understand why.

2 Likes

ok I found indeed the option --http-01-address xxx.xxx.xxx.xxx but as said above, sometimes it keeps ipv4, sometimes not as answer.... More, my bind dns is managing anycast so I think I must find a trick with NFS to have a common folder on all servers, or if one of you has a better idea I will be glad to know it.

If http-01 is too hard you can always use dns-01 validation, I mean.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.