IPv4 used instead of IPv6

Robin-Masters · December 29, 2023, 12:32am

I have a self hosted webserver and my provider (Vodafone) assigns only IPv6 addresses
and a IPv4 pool address which one is not a real address or rather not existing.

Yesterday i use certbot and it works with an other domain and today not, because acme uses only the IPv4 address. Is there a way to force certbot to use IPv6 and ignore IPv4?

My domain is:
sevcom.zapto.org

I ran this command:
certbot --apache -d sevcom.zapto.org

It produced this output:
"type": "urn:ietf:params:acme:error:connection",
"detail": "92.72.34.68: Fetching http://sevcom.zapto.org/.well-known/acme-challenge/Bhv6lMZLKuvshmE-996qIEEhrMhX2N64Sh-rLC8UdUc: Connection refused",
"status": 400

My web server is (include version):
Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version):
ubuntu 22.04

My hosting provider, if applicable, is:
DynDNS Provider no-ip.com and sevcom.zapto.org is an AAAA Host.

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

complete log:

{
  "identifier": {
    "type": "dns",
    "value": "sevcom.zapto.org"
  },
  "status": "invalid",
  "expires": "2024-01-05T00:00:22Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "92.72.34.68: Fetching http://sevcom.zapto.org/.well-known/acme-challenge/Bhv6lMZLKuvshmE-996qIEEhrMhX2N64Sh-rLC8UdUc: Connection refused",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/298439216086/Ega-hA",
      "token": "Bhv6lMZLKuvshmE-996qIEEhrMhX2N64Sh-rLC8UdUc",
      "validationRecord": [
        {
          "url": "http://sevcom.zapto.org/.well-known/acme-challenge/Bhv6lMZLKuvshmE-996qIEEhrMhX2N64Sh-rLC8UdUc",
          "hostname": "sevcom.zapto.org",
          "port": "80",
          "addressesResolved": [
            "92.72.34.68",
            "2a00:1f:b600:901:a00:27ff:fe84:1eac"
          ],
          "addressUsed": "2a00:1f:b600:901:a00:27ff:fe84:1eac"
        },
        {
          "url": "http://sevcom.zapto.org/.well-known/acme-challenge/Bhv6lMZLKuvshmE-996qIEEhrMhX2N64Sh-rLC8UdUc",
          "hostname": "sevcom.zapto.org",
          "port": "80",
          "addressesResolved": [
            "92.72.34.68",
            "2a00:1f:b600:901:a00:27ff:fe84:1eac"
          ],
          "addressUsed": "92.72.34.68"
        }
      ],
      "validated": "2023-12-29T00:00:25Z"
    }
  ]
}

Bruce5051 · December 29, 2023, 12:37am

Hello @Robin-Masters, welcome to the Let's Encrypt community.

Please share the output from the machine you are trying to get certificates issued from

curl -4 ifconfig.co
curl -6 ifconfig.co

and/or

curl -4 ifconfig.io
curl -6 ifconfig.io

Robin-Masters · December 29, 2023, 12:41am

Hello @Bruce5051 of course and like i said:

curl -4 ifconfig.co
92.72.34.68

curl -6 ifconfig.co
2a00:1f:b600:901:a00:27ff:fe84:1eac

Bruce5051 · December 29, 2023, 12:41am

From what the world believes you IPv4 Address is both Ports 80 & 443 are filtered (usually a firewall).

>nmap -4 -Pn -p80,443 sevcom.zapto.org
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-29 00:39 UTC
Nmap scan report for sevcom.zapto.org (92.72.34.68)
Host is up.
Other addresses for sevcom.zapto.org (not scanned): 2a00:1f:b600:901:a00:27ff:fe84:1eac
rDNS record for 92.72.34.68: dslb-092-072-034-068.092.072.pools.vodafone-ip.de

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.87 seconds

From what the world believes you IPv6 Address is both Ports 80 is filtered (usually a firewall),
yet Port 443 is Open.

>nmap -6 -Pn -p80,443 sevcom.zapto.org
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-29 00:39 UTC
Nmap scan report for sevcom.zapto.org (2a00:1f:b600:901:a00:27ff:fe84:1eac)
Host is up (0.16s latency).
Other addresses for sevcom.zapto.org (not scanned): 92.72.34.68

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 3.59 seconds

Bruce5051 · December 29, 2023, 12:44am

So you IP Addresses match what the world believes. Nice.

However the only connection is via IPv6 on Port 443; and it certificate is not trusted

>curl -6 -k -Ii https://sevcom.zapto.org
HTTP/1.1 400 Bad Request
Date: Fri, 29 Dec 2023 00:41:40 GMT
Server: Apache
Strict-Transport-Security: max-age=15552000; includeSubDomains
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-SlVzZ2lNWDdibXF0ZTM5eXdQc3d2dGZjL0lFcnM5MTcrb1VaVkJLWm4xaz06SFNsRzhaV1dKU2JMTDFRcmhJeDkrT2VPemNoRjJxOGhuK3AwSWtMdjJqWT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: noindex, nofollow
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=UTF-8
Set-Cookie: oc_sessionPassphrase=t%2BcujDUNEiiQ7lsC3HMFuY5H8rt7jDPo%2Fq%2BHUPEjYsD3Vy%2B2tyN5E4LO%2FnA2fLg21zGDQoqFga3bsRTQSQ1DKdstSGsZu2wY6UTpzwP3M6oaCvJYCdYYPAxzISS65Uzc; path=/; secure; HttpOnly; SameSite=Lax
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Set-Cookie: oc3bhzc507vj=l89jcn9i61pm4emipdu5hf6tea; path=/; secure; HttpOnly; SameSite=Lax
Connection: close

rg305 · December 29, 2023, 12:44am

Try showing the log after doing it with more logging:
certbot --apache -d sevcom.zapto.org -v
OR
certbot --apache -d sevcom.zapto.org -vv

Bruce5051 · December 29, 2023, 12:46am

And using the online tool Let's Debug yields these results https://letsdebug.net/sevcom.zapto.org/1752409

AAAANotWorking
ERROR
sevcom.zapto.org has an AAAA (IPv6) record (2a00:1f:b600:901:a00:27ff:fe84:1eac) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
A timeout was experienced while communicating with sevcom.zapto.org/2a00:1f:b600:901:a00:27ff:fe84:1eac: Get "http://sevcom.zapto.org/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://sevcom.zapto.org/.well-known/acme-challenge/letsdebug-test (using initial IP 2a00:1f:b600:901:a00:27ff:fe84:1eac)
@0ms: Dialing 2a00:1f:b600:901:a00:27ff:fe84:1eac
@10001ms: Experienced error: context deadline exceeded

ANotWorking
ERROR
sevcom.zapto.org has an A (IPv4) record (92.72.34.68) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://sevcom.zapto.org/.well-known/acme-challenge/letsdebug-test": dial tcp 92.72.34.68:80: connect: connection refused

Trace:
@0ms: Making a request to http://sevcom.zapto.org/.well-known/acme-challenge/letsdebug-test (using initial IP 92.72.34.68)
@0ms: Dialing 92.72.34.68
@5171ms: Experienced error: dial tcp 92.72.34.68:80: connect: connection refused

IssueFromLetsEncrypt
ERROR
A test authorization for sevcom.zapto.org to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
92.72.34.68: Fetching http://sevcom.zapto.org/.well-known/acme-challenge/duwBYB1l0JI6fSKzr7k2EbSwlm7cNfrr5Kge1s3GX4E: Connection refused

Robin-Masters · December 29, 2023, 12:49am

@Bruce5051

Thx for your hint and very embarrassing for me, misconfiguration of the firewall .. port 80 pointing to the wrong IPv6 address.

Now its working.

Many thanks and sry.

Bruce5051 · December 29, 2023, 12:50am

This is the presently being severed certificate Hardenize Report: sevcom.zapto.org
It has the name core-net.zapto.org, but not the name sevcom.zapto.org contained in the certificate.

Robin-Masters · December 29, 2023, 12:55am

Thats correct... its a reverse proxy with 3 domains and one ipv6 address.

Try it again...

system · January 28, 2024, 12:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IPv6 by default is causing huge issues - we do not host IPv6 sites Help	4	1380	November 1, 2018
Unknown IPv6 is used for challenge instead of domain`s IPv4 Help	4	220	February 11, 2024
Certbot, force IPv4? Help	9	4910	June 5, 2021
Certbot using ipv6 even if disabled Help	8	2966	January 7, 2022
IPv6 Not Working in Certbot Server	4	1096	December 29, 2018

IPv4 used instead of IPv6

Related topics