IPv6 verification fails, no DNS


#1

I came here through Google and found another thread that says IPv6-only domains are supported as of July 2016. Still doesn’t work for me. All software from the Ubuntu repository is up to date.

My domain is:
a domain that is only available through IPv6 and has no A record, just AAAA

I ran this command:
letsencrypt certonly --webroot -n -w /var/www/certbot -d “$DOMAIN”
(domain hidden)

It produced this output:

Failed authorization procedure. $DOMAIN (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to $DOMAIN
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: $DOMAIN
   Type:   connection
   Detail: Could not connect to $DOMAIN

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My operating system is (include version):
Ubuntu Server 16.04

My web server is (include version):
Apache 2.x

My hosting provider, if applicable, is:
own server

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


#2

It doesn’t say anything about a DNS error and without any actual data, there’s not much to debug.


#3

I was able to issue a certificate just now, though i was using the staging server. (Also probably a newer version of Certbot, but that probably doesn’t matter.)

Are you sure your server is working well?


#4

@dg9ngf, hopefully in the future we can get more specific error messages in this situation, but for the time being it will be hard to debug without knowing the real domain name and IPv6 address in question (for people to try their own resolver/connectivity experiments).

You can try using curl on another IPv6-connected machine to see if your machine appears to be reachable from its point of view (using HTTP on port 80, in this case, which is what the challenge type you’re using requires).


#5

Sorry, I was able to figure it out myself. My web server configuration was somehow wrong and it was listening on the wrong IPv6 address, not the one registered in the DNS record. I fixed that and then verification through the bot succeeded.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.