I’m trying to renew a certificate, for aagl903w.fbxos.fr but the validation fails. The failure is related to the fact that Let’s encrypt prefers IPv6 against IPv4 when both records are present.
The domain has indeed an AAAA record, but the corresponding IPv6 address is not reachable. In fact, my connection doesn’t have any IPv6 support.
For example, running curl -v6 http://aagl903w.fbxos.fr
Immediate connect fail for 2a01:e35:87fa:8220::1: Network is unreachable
I suppose that it is a configuration error but unfortunately the DNS configuration is completely out of my control being fully managed by the ISP.
Is it possible to force an IPv4 validation. Or another alternative? It is not supposed to fallback on IPv4 in case of routing problems?
The certificate authority can’t tell that the person requesting a certificate at a particular moment is the same person who controls the domain name, except on the basis of what the DNS system says about the domain name.
I’m not sure that this represents a definitive summary of the view of the people running the server side, but I’ve tried to summarize this concern at
My suggestion is that allowing people requesting certificates to override what the DNS says about how control of the domain should be validated is opening the door to new attacks, if the attackers can control one kind of network route but not another.
I would suggest further attempts to persuade the ISP, or registering your own domain name so that you’re not reliant on the ISP’s DNS management.
Thanks a lot for your quick answer. Unfortunately it doesn’t help me too much.
The domain is correctly accessible on IPv4 and the validation process should automatically fallback in case of network unreachable - this is not a problem of a badly configured web server. There is an issue open on github, but it doesn’t have yet any resolution.
I understand that giving more options when issuing certificates may be considered as a potential security issue, but in the end, choosing one protocol against the other is a question of taste. When IPv6 can still be considered in infancy, the validation code should be smart enough and show a certain level of tolerance.
In my opinion, after reading a lot of questions around this aspect, since something that worked perfectly stopped to work, preferring IPv6 against IPv4 is bringing more trouble for no obvious advantage.
If your website advertises that it works over IPv6, but doesn’t work over IPv6, my phone will have trouble connecting or have to wait out a timeout to connect via IPv4, since my mobile carrier (along with many others) uses IPv6 now.
So, just leave Let’s Encrypt out of it and tell your ISP users are having trouble connecting to your website from T-Mobile USA and other wireless carriers due to their IPv6 misconfiguration. If they still don’t want to fix it given that concern you really ought to find another ISP.
Thanks a lot guys,
I spent some time with them on the phone. They acknowledged the problem, told me that it is fixed, but not… Eventually I switched to another domain that is completely under my control and it works perfectly.
Thanks a lot for your wonderful work.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.