Old style certbot but can't find server by ipv6 addr supplied

So I have been notified via email that at least one of my servers is using a too-old version of certbot or whatever. That’s fine, I’ll be happy to update… but…

They sent me an ipv6 address. I don’t use them. I can’t figure out which of a couple hundred servers it might be. How do I do this? host -6 failed to no server available.

How can i request letsencrypt to send me the ipv4 address of this? Of course, the email is a noreply bot, so…

1 Like

The IPv6 address listed would be the outgoing IP address that your ACME client used to connect to the Let’s Encrypt API server.

They wouldn’t know what the associated IPv4 address is - there’s no natural relationship between IPv4 and IPv6 addresses.

Does the IPv6 subnet give you any clue about where it might be hosted? Narrow it down to a specific ISP, datacentre, etc?

Edit: some similar feedback has already been submitted relating to difficulty attributing IPv6 addresses to individual machines - you might want to leave your vote there as well.

2 Likes

Does host -6 do what you want with your host implementation? Try using just host instead of host -6. With some, it's about what protocol is used for transporting your DNS queries, not about whether you're trying to look up the PTR for an IPv4 or IPv6 IP.

 host <ipv6 addr>
Host 4.6.2.2.8.3.e.f.f.f.9.b.6.2.2.0.1.4.2.1.0.0.3.1.0.2.7.f.7.0.6.2.ip6.arpa not found: 3(NXDOMAIN)

and

host -6 <ipv6 addr>
;; connection timed out; no servers could be reached

the thing that kinda kills me is that letsencrypt does domains… so why not list the domain?! why this ipv6 skullduggery… i have ipv4 addresses for all my servers

The IPv6 addr shown belongs to:
University of California, San Diego

Yeah, you wanna guess how many servers there are at UCSD?

I’d rather guess how many systems at USCD have access to that one real IPv6 address.
Or how many NAT hide behind that one IPv6 address…
Or where I could find the logs that show which specific system actually used that IPv6 address…

But why guess? Isn’t that something you already know?
[or someone you already know who has those answers]

If NOT, then you should probably acquaint yourself with those persons and ask them the right questions.

This is not a helpful reply. UCSD is large, has multiple domains, multiple dns servers for multiple subnets and many different systems administrators going down to thousands of individual servers. Figuring out that the top domain was ucsd.edu narrows it down not at all.

I need to figure out how to find out which system this is. The automated message should at least include the domain name in question. I have yet to locate which server this might be, among the multiple servers I myself have installed letsencrypt on. Each server has its own FQDN which is why specifying that in the email would be very helpful to ppl in my boat (and I see I am not the only one asking for that).

Just dump the cert info via openssl x509 -in .pem -text or something.

Thank you.

I am not disagreeing with you that the email could be “more helpful”.
[and I don’t know why they don’t include such information]

I can say that someone else could have the same problem if only an FQDN was provided.
[when that name is used in multiple systems - i.e. WildCard certs]

And that an IPv6 address is a very [very] unique thing.
If you can’t find that needle in that haystack, you aren’t really “looking”.
[Your campus network team should be able to tell you exactly “where” that IP resides.]

Hi @karoshi

a simple trace / traceroute should be enough to find an ipv6 address.

Ipv4 with NAT -> impossible.

Ipv6 - no NAT -> simple.

PS: If the ipv6 doesn't answer, the local part may be expired. So check the first part.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.