Lets Encrypt trouble with ipV6 clients

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ai.mathemafix.com

My web server is (include version): apache2 and only ipv4 is used with Apache even though the server has ipv6 turned on.

The operating system my web server runs on is (include version): centos 7

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

If a client device uses ipv4 to connect to a wifi router, everything is fine. If it uses ipv6 to connect to a wifi router, the https connection will fail completely. The normal http connection works. To get https to work, I have to disable ipv6 on the client device to force it to use ipv4. However, even with a wifi connection using ipv6, my other websites using Letsencrypt certificates continue to work. These websites are hosted somewhere else. It is very confusing.

Is there a way to get things to work without disabling ipv6?

Hi @dmaivn, and welcome to the LE community forum :slight_smile:

Enable, and support, IPv6 on your web server OR remove the AAAA address from your DNS zone.

The "problem" starts here:

And as with all things Apache on this forum, you should also review the output of:
sudo apachectl -t -D DUMP_VHOSTS
[if you don't know how, just post that output here]


Just adding info to what @rg305 said. Your IPv4/6 config responds different not only between 4 and 6 but also port 80 and 443. Maybe this helps identify where your network config problems are

# Reasonable 301 redirect HTTP with IPv4
curl -I4 http://ai.mathemafix.com
HTTP/1.1 301 Moved Permanently
Date: Thu, 01 Feb 2024 13:57:51 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/8.2.13
Location: https://ai.mathemafix.com/
Content-Type: text/html; charset=iso-8859-1

# Same HTTP fails 403 with IPv6
# But looks to reach the same server based on the headers
curl -I6 http://ai.mathemafix.com
HTTP/1.1 403 Forbidden
Date: Thu, 01 Feb 2024 13:57:55 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/8.2.13
X-Powered-By: PHP/8.2.13
Content-Length: 4897
Content-Type: text/html; charset=ISO-8859-1

# HTTPS with IPv4 seems fine
curl -I4 https://ai.mathemafix.com
HTTP/1.1 200 OK
Date: Thu, 01 Feb 2024 14:04:48 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/8.2.13
X-Powered-By: PHP/8.2.13
Content-Type: text/html; charset=ISO-8859-1

# HTTPS w/IPv6 fails horribly (and not same way as HTTP)
curl -I6 https://ai.mathemafix.com
curl: (35) error:0A00010B:SSL routines::wrong version number

This is what I see...

Issuer: C = US, O = Let's Encrypt, CN = R3
Not Before: Jan 31 09:51:10 2024 GMT
Not After : Apr 30 09:51:09 2024 GMT
Subject: CN = ai.mathemafix.com

Thanks! I have decided to disable ipv6 on the server and deleted the ipv6 DNS record AAAA. The problem seems to have gone.

So, in summary, the problem is due to ipv6 enabled and the clients attempting to use ipv6 instead of ipv4 to connect to the server.

By default, my VPS host provider enables ipv6. That caused Gmail to connect using ipv6 and for that to work, I have to add AAAA DNS record and setup other things. And that affects my ipv4 web service when the clients also have ipv6 enabled by default after they get new routers (old ones do not have ipv6 enabled). Now that I have disabled ipv6 on my server, Gmail also stops using ipv6. So, everything is on ipv4 and everything works.

So, the lesson I get from this is that one must disable ipv6 if one is not willing to do extra work to provide all services on ipv6 as well as on ipv4. That will stop the unexpected troubles when your clients suddenly ask for ipv6.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.