Ruby acme-client 0.5.0 - Some Certificates Do Not Renew Due to IPV6 Domains

jcordoba · May 29, 2017, 10:26am

Hello,

I am the backend developer of the hosting team in CDmon and we make possible for our clients to install Let’s Encrypt certificates from our self-made Control Panel. We use ruby and acme-client 0.5.0 version.

We already have around 4000 certificates requested successfully but we have one with some difficults…

Please fill out the fields below so we can help you better.

My domain is: www.nutshot.es

I ran this command:

https://acme-v01.api.letsencrypt.org/acme/challenge/lNT4e8EC4xUD-dCd9iJmLaUFU6_jpk50mIq1uMXr_C4/1244940526

It produced this output:

{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "Could not connect to www.nutshot.es",
    "status": 400
  },
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/lNT4e8EC4xUD-dCd9iJmLaUFU6_jpk50mIq1uMXr_C4/1244940526",
  "token": "JWnjGtAkWE8XrUzpRGRYEvE4GUh_DXIZZ-eQiLcw5V0",
  "keyAuthorization": "JWnjGtAkWE8XrUzpRGRYEvE4GUh_DXIZZ-eQiLcw5V0.8ClS42WKv8sX1-UgEXCanJyp4Kt7TT01yLNUphtIpBY",
  "validationRecord": [
    {
      "url": "http://www.nutshot.es/.well-known/acme-challenge/JWnjGtAkWE8XrUzpRGRYEvE4GUh_DXIZZ-eQiLcw5V0",
      "hostname": "www.nutshot.es",
      "port": "80",
      "addressesResolved": [
        "134.0.14.130",
        "2001:8d8:100f:f000::2"
      ],
      "addressUsed": "2001:8d8:100f:f000::2",
      "addressesTried": []
    }
  ]
}

But if you access to the .well-known path you can see the content:

http://www.nutshot.es/.well-known/acme-challenge/JWnjGtAkWE8XrUzpRGRYEvE4GUh_DXIZZ-eQiLcw5V0

It is true that my client has an .htaccess file but it is avoided in the moment of requeting the let’s encrypt certificate.

My web server is (include version):

Apache/2.2.22 (Debian)

The operating system my web server runs on is (include version):

Debian 7

My hosting provider, if applicable, is:

CDmon

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

My question is: why the response says that cannot access to www.nutshot.es when it is not true??

Thank a lot!

sahsanu · May 29, 2017, 12:11pm

Hola @jcordoba,

Indeed, it is true ;). The problem is that www.nutshot.es has 2 DNS records, one for A (IPv4) and one for AAAA (IPv6):

$ dig www.nutshot.es +short
134.0.14.130

$ dig www.nutshot.es aaaa +short
2001:8d8:100f:f000::2

In the log that you posted, you can see how Let's Encrypt is using the ipv6 address:

"addressesResolved": [
"134.0.14.130",
"2001:8d8:100f:f000::2"
],
"addressUsed": "2001:8d8:100f:f000::2",

Since a couple of weeks, Let's Encrypt will prefer to use IPv6 instead of IPv4 if both records are available but the web server is only configured to use IPv4.

Connecting to domain using IPv6:

$ curl -IkL6 www.nutshot.es
curl: (7) Failed to connect to www.nutshot.es port 80: Connection timed out

Connecting to domain using IPv4:

$ curl -IkL4 www.nutshot.es
HTTP/1.1 301 Moved Permanently
Date: Mon, 29 May 2017 12:05:24 GMT
Server: Apache
Location: http://nutshot.es/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: es

HTTP/1.1 200 OK
Date: Mon, 29 May 2017 12:05:25 GMT
Server: Apache
Link: <http://nutshot.es/wp-json/>; rel="https://api.w.org/"
Link: <http://nutshot.es/>; rel=shortlink
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: es

So, or you configure the web server to accept request for the IPv6 address of domain www.nutshot.es or remove the AAAA record for www.nutshot.es.

Edit: Let's Encrypt uses a fallback to ipv4 when it can't use the ipv6 address but don't know what are the circumstances that could trigger this fallback, maybe @jsha could explain how this fallback works from their side.

Un saludo,
sahsanu
:

jcordoba · May 29, 2017, 1:36pm

Thank you very very much @sahsanu !

Your answer helped me a lot! I can explain my client the issue. And I have more work to do.

Thanks a lot again, un saludo!

jsha · May 30, 2017, 6:43pm

Thanks for the extra info! Based on the authorization object pasted, I’ve added detail to https://github.com/letsencrypt/boulder/issues/2770.

system · June 29, 2017, 6:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't access acme-v02.api.letsencrypt.org over IPv6 Help	24	1476	January 6, 2023
Unable to issue SSL Help	8	7451	March 5, 2019
Invalid response from http://zab.ordana.net/.well-known/acme-challenge/YJXtpoqNspEIpHpa7kDLz-JmP_FHqaUJTaJFpNGprqo: 400 Help	9	461	September 10, 2022
Can't Renew Certificate Help	10	1301	July 2, 2021
Problem renewing certificate (OpenBSD 6.7, httpd + acme-client) Help	3	740	April 8, 2021

Ruby acme-client 0.5.0 - Some Certificates Do Not Renew Due to IPV6 Domains

Related topics