"No valid IP address" error on IPv6 only host (6to4) for tls-sni-01 (standalone)

Hi

< I have redacted the domain I am using with placeholder XXX.tld >

I am using certbot 0.19.0 in standalone on Debian Stretch

certbot certonly --force-renewal --standalone --expand -d www.XXX.tld -d ipv6.XXX.tld …

where ipv6.XXX.tld is a IPv6 only host (6to4 address).
All of the other domains have IPv4 adress only (all domains the same one, they are CNAMEs).

However I got

Failed authorization procedure. ipv6.XXX.tld (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for ipv6.XXX.tld

There is no other server running (I use --pre-hook “systemctl stop nginx” --post-hook “systemctl start nginx”)
When the nginx is running I can reach ipv6.XXX.tld without any problems (from IPv6 enabled hosts).

I have root access to the machine and can present logs but I didn’t find anything useful in them.

Running post-hook command: systemctl start nginx
Failed authorization procedure. ipv6.XXX.tld (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for ipv6.XXX.tld

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ipv6.XXX.tld
   Type:   unknownHost
   Detail: No valid IP addresses found for ipv6.XXX.tld

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

That is bad, you are hiding relevant information.
By the way: --force-renewal should not be used in most cases.

2 Likes

This might be sort of my fault. Because 6to4 hosts don’t have “real” IPv6 routing it’s harder to be confident of the path chosen to reach them and avoid scenarios where that’s more likely to be an attacker. So I recommended Let’s Encrypt reject 6to4 addresses or implement their own 6to4 endpoint. I think they took the former option.

As a result of that the 6to4 address isn’t accepted. Sorry.

(If I’m wrong I’m sure a LE person will be adding to say so shortly)

1 Like

I don’t know if that’s right, but if it is, @martin1 can potentially still use the DNS-01 challenge method to get a certificate for this host.

Without the domain name in question I can’t say much with certainty.

@tialaramex’s answer rings a bell (Thanks!), but looking at the Boulder code I think the only codepath that returns the specific “No valid IP address” error happens before any explicit policy is applied. E.g. it seems to only happen in the case when there was no IPv4 or IPv6 address found.

I might be overlooking something. If you provide the domain name you’re receiving this error for I can try to ascertain the cause with more certainty :slight_smile:

Yep, @tialaramex is correct: We will not connect to 6to4 addresses for validation: https://github.com/letsencrypt/boulder/blob/master/bdns/dns.go#L137-L141.

1 Like

@jsha and @tialaramex were right, and I'm wrong :smiley: The addresses are filtered by some policy decisions before we count them and so a response with only private network addresses would provoke this "No valid IP addresses" error.

Thank you guys. Great support.

I will add IPv4 address for my IPv6 only host, run certbot renew and then remove IPv4 address again.
This is more convenient for me than dns-01.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.