IPv6/AAAA Certificates

Hello,

We are using cPanel’s Official Let’s Encrypt Plugin. We have a issue with IPv6 Subdomain are not install Certificate. Please let me know this fix. As I know The Let’s Encrypt provider does default to IPv6?

Log for the AutoSSL run for “user”: Saturday, February 10, 2018 10:16:02 AM GMT+0100 (Let’s Encrypt™)
10:16:02 AM This system has AutoSSL set to use “Let’s Encrypt™”.
10:16:02 AM Checking websites for “user” …
10:16:03 AM The website “mysite.com”, owned by “user”, has a valid SSL certificate, but additional SSL coverage may be possible for the domain “ipv6.mysite.com”. The system will attempt to replace this certificate with one that includes this additional domain.
10:16:03 AM WARN The domain “ipv6.mysite.com” failed domain control validation: “ipv6.mysite.com” does not resolve to any IPv4 addresses on the internet.
10:16:03 AM AutoSSL cannot add any new domains to SSL coverage for the website “mysite.com”.
10:16:03 AM The system has completed the AutoSSL check for “user”.

Sounds more like an AutoSSL/cPanel thing to me than a Let’s Encrypt thing. Let’s Encrypt indeed defaults to IPv6 and that normally works perfectly.

There are some outstanding problems with IPv6 and the DCV mechanism in cPanel 68. These have been fixed in cPanel 70, which is in CURRENT TIER but not yet RELEASE tier.

In any case, you should open a ticket with cPanel support (tickets.cpanel.net) - they will be able to get to the bottom of it quickly.

2 Likes

Yes I am using cPanel v70 and created a ticket with cPanel support. Get response below from cPanel.

Regarding the AutoSSL issue, please note that at this time the cPanel (powered by Comodo) AutoSSL provider does not perform Domain Control Validation over IPv6. The Let's Encrypt provider does default to IPv6.

I am not sure what the cPanel CSR is implying. Perhaps that it is just not supported?

ipv6. is itself a cPanel-generated subdomain that only creates an AAAA record without an A record.

If AutoSSL is performing DCV against ipv6. in a way that relies on the existence of an IPv4 address, it is very clearly a bug in AutoSSL.

I would try push back (maybe link them to this post), or there is always the option of asking for a new representative.

So we need setup a temporary "A" record that resolves to an IPv4 address to allow the domain validation process to succeed. Once it succeeds, we can remove the "A" record until the next AutoSSL renewal attempt?

One more response below from cPanel.

It looks like that AutoSSL requires an IPv4 address at this moment in time, IPv6-only domain names (or subdomains) are not currently supported with the AutoSSL feature. Unfortunately, AAAA requests are not currently supported with AutoSSL. We started working on adding support for it; however, we had to delay the feature because we need to ensure our SSL vendors support AAAA lookups/DCV checks first. We hope to see it implemented soon.

1 Like

I guess you could try add an A record for the ipv6. subdomain, but on the face of it it appears to defeat the purpose of the record, no? Especially since mysite.com should have both an A and AAAA record anyway.

I’m not sure why one would care about that name being on the certificate - AutoSSL should just skip over it and issue a certificate with all the other names.

1 Like

OK added but still are not fixed. Please let me know this issue. Now see all other subdomain are not have certificate.

    Log for the AutoSSL run for “nadda”: Saturday, February 10, 2018 11:06:17 AM GMT+0100 (Let’s Encrypt™)
    11:06:17 AM This system has AutoSSL set to use “Let’s Encrypt™”.
    11:06:17 AM Checking websites for “nadda” …
    11:06:17 AM The website “mysite.com”, owned by “nadda”, has a valid SSL certificate, but additional SSL coverage may be possible for the domain “ipv6.mysite.com”. The system will attempt to replace this certificate with one that includes this additional domain.
    11:06:17 AM The system will attempt to renew the SSL 1 certificate for the website (mysite.com: mysite.com www.mysite.com mail.mysite.com webmail.mysite.com cpanel.mysite.com whm.mysite.com webdisk.mysite.com ipv6.mysite.com)
    11:06:32 AM WARN “whm.mysite.com” failed its authorization because of an error: Fetching http://whm.nirjonmela.com/.well-known/acme-challenge/_f0o8vPs9lk8SB0GQ9K-UV6YQ7oLxJNJGWjGozS881I: Timeout (The server could not connect to the client for validation (urn:acme:error:connection))
    11:06:32 AM WARN “webdisk.mysite.com” failed its authorization because of an error: Fetching http://webdisk.mysite.com/.well-known/acme-challenge/DVq4MuFl_w6e9FUVei_Z9RN498hTEdCPvt5wxteCDt8: Timeout (The server could not connect to the client for validation (urn:acme:error:connection))
    11:06:32 AM WARN “cpanel.mysite.com” failed its authorization because of an error: Fetching http://cpanel.mysite.com/.well-known/acme-challenge/oohX-TyGFLLGawlAcFNlHieWznwFiwebvjaiY4IhdNY: Timeout (The server could not connect to the client for validation (urn:acme:error:connection))
    11:06:32 AM WARN “ipv6.mysite.com” failed its authorization because of an error: Fetching http://ipv6.mysite.com/.well-known/acme-challenge/GqLKMZyzc5tEnGYvOFVq_0xsjZCFUIlDuSJOSFuGA3E: Timeout (The server could not connect to the client for validation (urn:acme:error:connection))
    11:06:32 AM WARN “www.mysite.com” failed its authorization because of an error: Fetching http://www.mysite.com/.well-known/acme-challenge/NYh4LzT8FCFc0ZlxVco9JZkasyVvWKlfbN8aZx3gU5s: Timeout (The server could not connect to the client for validation (urn:acme:error:connection))
    11:06:32 AM WARN “mysite.com” failed its authorization because of an error: Fetching http://mysite.com/.well-known/acme-challenge/_7jSlI-3ReOkHB8bLG1RLdEwTk-hCtOo0P8-myKV97g: Timeout (The server could not connect to the client for validation (urn:acme:error:connection))
    11:06:33 AM SUCCESS The system has installed a new certificate onto “nadda”’s website “mysite.com”.
    11:06:33 AM The system has completed the AutoSSL check for “nadda”.

I think you should continue this with cPanel support since they have access to your server. In any case, we can’t help unless you stop redacting the domain.

Does domain are only view by letsencrypt support?

So now we back to AutoSSL Providers cPanel (powered by Comodo). Now we get all certificate are installed.

This will fixed install all certificate with AutoSSL Providers cPanel (powered by Comodo). So why not work with AutoSSL Providers Let’s Encrypt™ ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.