IPv6-only host doesn't verify


#1

I’m trying to switch a semi-public IPv6-only host from DNS challenge to normal HTTP challenge.

My domain is: online-distfiles.bec.de

The client is getssl and it is working perfectly fine for those hosts with both A and AAAA records. For the domain above, it persistently reports the verification request as “pending”. More importantly, the only requests I see in the server log is from my local machine when getssl verifies that the challenge is present. There is no sign of any requests from 3rd party origins.
Could someone please check the logs on the ACME side for why no requests for the challenge are being created?


#2

If the authorization is stuck in a pending state, it suggests that the client is not submitting the challenge for validation at all. Otherwise, it would be in a “valid” or “invalid” state. Perhaps the client itself is having issues with IPv6-only hosts. Either way, it’s unlikely that the ACME server logs would reveal any of that.

Running the client in debug mode with -d might reveal where it’s stuck. Make sure you’re also using a client version >= 1.31; that release fixed an issue caused by Let’s Encrypt starting to re-use existing authorizations which would manifest as a challenge stuck in a pending state.


#3

Well, the answer for the “please-check-my-challenge” request from the Boulder is:
https://acme-v01.api.letsencrypt.org/acme/challenge/ES8xZnhhgPhP62zADO--y9MZ7h-sBZg9FE0gvhcUJmg/214334368
with Boulder-Request-Id rGtEqcazD7VVsGS4P9oYKKqLumqtNJkFDjRBwTgGPwQ.


#4

You already have a valid authorization object for your domain: https://acme-v01.api.letsencrypt.org/acme/authz/ES8xZnhhgPhP62zADO--y9MZ7h-sBZg9FE0gvhcUJmg

That means you’re in all likelihood running into the authz re-use issue. See the second part of my reply:


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.