IPv6 Not Working in Certbot


#1

I wasn’t sure if this was worth a new thread, but need to ask. I’ve been using certbot-auto on my CentOS 7 machine for a couple months now with no problems, however two days ago it stopped working (or so I thought). Today when trying to download it again via wget I noticed that the IPv6 version was failing via time out and then the IPv4 succeeded. How can I go about diagnosing the issue?

Everything works, but I have to wait 2 minutes or so for the IPv6 contact to time out and then the IPv4 tasks go quickly.


#2

Does your machine actually have functional IPv6 access to the internet?

If not, disable IPv6.

If so, repair your IPv6 networking, e.g. make sure ping -6 google.com works.


#3

Gotcha yeah our server doesn’t have a IPv6 connection. I disabled it by running both

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

Is there a certbot option that shifts the preferred connection to the IPv4 one?


#4

Which step of the process are you referring to? The download via wget, or Certbot’s connection to the Let’s Encrypt API service, or the challenge validation from the CA over IPv6?

For the download via wget, you can use wget -4 instead of just wget.

For Certbot’s connection to the Let’s Encrypt API, what you did is the best fix (or removing IPv6 routes using route -6, or figuring out where the spurious or unusable IPv6 routes are coming from).

For the validation step, removing non-working DNS AAAA records for your server is the best fix, or fixing the server’s IPv6 connection.