IPv6 by default is causing huge issues - we do not host IPv6 sites

Hi all,
I understand LE has recently changed authentication to use IPv6 first - is there any way to override this in the certificate request, so it uses IPv4. This is a major problem for us we host alot of IPv4 sites.

I user certbot-auto.

Here is the log entry indicating it is using IPv6 as the preferred authentication address.

“status”: “invalid”,
“expires”: “2018-10-09T09:09:02Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from http://www.redacted.co.uk/.well-known/acme-challenge/WycQYZeAV4USVxlf7hlAGKCQQQhmvtWRMnGgZlSeWbw: “\u003c!DOCTYPE HTML PUBLIC \”-//IETF//DTD HTML 2.0//EN\”\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e300 Multiple Choices\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eMultiple C"",
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/jG86fEpuZZsf_geMmsTQHv5ezlfbyRGSrV-zQqbOAlc/7876714656”,
“token”: “WycQYZeAV4USVxlf7hlAGKCQQQhmvtWRMnGgZlSeWbw”,
“validationRecord”: [
{
“url”: “http://www.redacted.co.uk/.well-known/acme-challenge/WycQYZeAV4USVxlf7hlAGKCQQQhmvtWRMnGgZlSeWbw”,
“hostname”: “www.redacted.co.uk”,
“port”: “80”,
“addressesResolved”: [
“93.xxx.xxx.xxx”,
“2001:8d8:100f:f000::2d1”
],
“addressUsed”: “2001:8d8:100f:f000::2d1” <----- this is the default holding page of 1and1 hosting.
}
]
},

As far as I know there isn’t a way to force LE to use IPv4 over IPv6. However, if this is happening you have a much bigger problem. Not only will Let’s Encrypt use the IPv6 address - so will everyone with an IPv6-enabled connection. (Which is something like ~25% of Internet users according to Google.) This means if Let’s Encrypt can’t see your site, neither can those users.

The solution is to make sure IPv4-only web sites don’t have AAAA records. Doing this depends on how your DNS is set up. If you manage it yourself (i.e. you manually associate domains with IP addresses) then you should be able to remove the AAAA records yourself. If your host handles it then you’d need to contact them.

1 Like

Thanks Ben - very good point… the client will have to delete the record as its clearly going to affect their SEO.

Hi @cbragg

this isn't a problem. Use only ipv4 - addresses as dns-entries, only A, no AAAA - record. Then it works.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.