Ipv6 address returns 404, ipv4 is good, but failed to verify the domain

From this issue:

The domain has both ipv4 and ipv6 resolved. but the web server is only process request at ipv4 address.

When verifying the domain via webroot method, the CA validation server prefers to use ipv6.

It’s better if the CA server can visit both of the ipv4 and ipv6 to verify the domain, and verify success if either of the address passes.

what do you guys think ?

Hi @neilpang,

The intention was to have the Validation Authority of the CA try IPv6 first if there is an AAAA record, and fall back to IPv4 if the AAAA record timed out or failed. There is a known issue right now (HTTP-01 IPv6 to IPv4 fallback not working properly · Issue #2770 · letsencrypt/boulder · GitHub) where it appears the initial IPv6 request may use the full VA timeout preventing the IPv4 fallback from happening.

Why is the user unable to provision a challenge response server on the IPv6 address?

Yes, the user can modify his server conf to listen on ipv6 too, but that doesn’t make sense.

The auto-renewal was failed because of recent ipv6 feature of boulder. it was first issued successfully.

Thanks for your reply.

Why doesn't it make sense? There's an AAAA record advertising an IPv6 address for the domain. If there's no IPv6 webserver, why have the AAAA?


Remember that lots of mobile providers have enabled IPv6 these days. I’ll end up getting 404s on LTE but not on WiFi if their server is configured this way. It doesn’t just break Let’s Encrypt!

1 Like

Yes, I almost agree with you. but there is no reason, they just have AAAA record on the domain.

In the current Internet world, ipv6 is not so widely used.
No matter by mistake or in purpose, they have a ipv6 on the domain, it’s better if the validation can pass smoothly on either ipv6 or ipv4.

In memory, the ACME protocol doesn’t specify whether to use ipv4 or ipv6. As long as a user can prove the domain(no matter on ipv4 or ipv6), he should be able to request a cert.

what do you think?

Seems like an easy fix then :slight_smile: They can remove the AAAA record they have without reason and it will work.

I think there's work to be done on improving the IPv4 fallback to help with this situation but overall I'm not supportive of a mode that allows you to specify whether the validation is done over IPv4 or IPv6 - the user already has full control of that by means of their DNS. If you 100% only want validation to be done with IPv4, don't advertise an IPv6 address. Working around this at a protocol level is the wrong answer.