IPv6 renewal fails


#1

I have a certificate that I created that includes an IPv6 hostname. The renewal fails saying it could not connect to the IPv6 address for verification. I’ve tested the IPv6 hostname connectivity using ssllabs.com so I know the server is responding. Is this an issue on the letsencrypt.org end?

Please fill out the fields below so we can help you better.

My domain is: soft1-v6.discoverypatterns.com

I ran this command: ./certbot-auto renew

It produced this output: Attempting to renew cert from /etc/letsencrypt/renewal/soft1.discoverypatterns.com.conf produced an unexpected error: Failed authorization procedure. soft1-v6.discoverypatterns.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to [2607:f0d0:1b02:33::4]:443 for tls-sni-01 challenge. Skipping.

My operating system is (include version): centos6.9

My web server is (include version): 2.2.15

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @solarfarmer,

This is the second report of outbound IPv6 validations failing I’ve seen this morning (here’s the other). I’m going to escalate with our operations team. Thanks for reporting.


#3

Thanks. BTW, I verified I have IPv6 connectivity inbound to LetsEncrypt:

% ping6 acme-v01.api.letsencrypt.org
PING acme-v01.api.letsencrypt.org(2600:1404:a:391::3d5) 56 data bytes
64 bytes from 2600:1404:a:391::3d5: icmp_seq=1 ttl=58 time=34.1 ms
64 bytes from 2600:1404:a:391::3d5: icmp_seq=2 ttl=58 time=34.1 ms


#4

Great thanks. I suspect this is entirely on the outbound leg between our validation server and your host.


#5

The problem should be fixed now. Thanks again for reporting. Please let me know if you’re still having difficulties with IPv6 only authorizations.


#6

Confirmed Fixed! Thanks for the quick turnaround.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.