Http0 GKE Validation IPV4 Only

csgeek · August 9, 2021, 7:28pm

If I create a test environment I'm able to get a valid certificate without any issues. My Staging and Production environment has IPV6 as a requirement, so what I ended up using is to follow this pattern in order to get an IPv6 Address in GKE.

Is there a flag I could be able to add to force IPv4?

Failing that, I would need DNS validation as I'm not using a standard DNS service provider, is there a guide on how to setup a custom app to write the DNS entries required for DNS validation that ties into GKE to succeed?

Here's a ticket I created a while back for more context if anyone would like to read.

Osiris · August 9, 2021, 7:38pm

No, there is not. The Let's Encrypt validation servers prefer IPv6 if an AAAA record exists. Although it's not clear to me why that would be an issue at all?

csgeek · August 9, 2021, 8:34pm

I'm not sure either but the LB is the only thing I can see that's different between the two environments. It's supposed to forward all requests but maybe the multiple layers of SSL is breaking it?

IPv6 has a different SSL certificate while I'm trying to obtain a LetsEncrypt one for the IPv4 stack.

rg305 · August 9, 2021, 10:47pm

Are they separate load-balancers?
Can't they use the same cert?

csgeek · August 9, 2021, 11:17pm

Well, GKE currently doesn't support IPv6 as far as I can tell so unfortunately not.

rg305 · August 10, 2021, 1:27am

hmm...

If you proxied the IPv6 HTTPS connections as streams then they could always reach the IPv4 systems

If a stream proxy is not an option, then you could:

renew original FQDN(1) via IPv6 systems [twice a day cron job renewal check]
redirect FQDN(1) challenge requests to an IPv4 only FQDN(2) [triggered upon IPv6 renewals]
renew original FQDN(1) via FQDN(2) systems [triggered after redirection]
remove redirection [triggered upon IPv4 renewals]

system · September 9, 2021, 1:27am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.