IPv6 domain fails during renewal

I have a certificate which involves several domains, including one IPv6-only domain.
I had no trouble creating the certificate, and as of a few weeks ago, all was well when I tested the renewal with the following command:

certbot renew --standalone --dry-run

But now that it is time to do the renewal, it consistently fails with the following mesage:

Attempting to renew cert from /etc/letsencrypt/renewal/gentoo.toadpen.com.conf produced an unexpected error: Failed authorization procedure. nonmicrosoft.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to [2600:3c01::f03c:91ff:fe69:89e9]:443 for TLS-SNI-01 challenge, www.nonmicrosoft.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to [2600:3c01::f03c:91ff:fe69:89e9]:443 for TLS-SNI-01 challenge. Skipping.

I can’t see any problems with my DNS settings, nor any problems communicating with the IPv6 address of the server. It has a perfectly good AAAA record.

The server is running Gentoo, with Apache 2.4.25

Does anyone have any ideas what might be going on here?

certbot --standalone doesn’t support IPv6. :frowning2:

Let’s Encrypt supports it; Certbot’s standalone server just doesn’t.

You can use DNS-01, or HTTP-01 or TLS-SNI-01 with a web server, or even set up some sort of proxy in front of Certbot… Just not, uh, this.

1 Like

Well that explains what the problem is, although I guess I’ll never know why it successfully did a dry run a few weeks ago.

Anyway, using the command ‘certbot renew --apache’ it renewed with no errors, so all is well.

Thanks for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.