Ruby acme-client 0.5.0 - Some Certificates Do Not Renew Due to IPV6 Domains

Hello,

I am the backend developer of the hosting team in CDmon and we make possible for our clients to install Let’s Encrypt certificates from our self-made Control Panel. We use ruby and acme-client 0.5.0 version.

We already have around 4000 certificates requested successfully but we have one with some difficults…

Please fill out the fields below so we can help you better.

My domain is: www.nutshot.es

I ran this command:

https://acme-v01.api.letsencrypt.org/acme/challenge/lNT4e8EC4xUD-dCd9iJmLaUFU6_jpk50mIq1uMXr_C4/1244940526

It produced this output:

{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "Could not connect to www.nutshot.es",
    "status": 400
  },
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/lNT4e8EC4xUD-dCd9iJmLaUFU6_jpk50mIq1uMXr_C4/1244940526",
  "token": "JWnjGtAkWE8XrUzpRGRYEvE4GUh_DXIZZ-eQiLcw5V0",
  "keyAuthorization": "JWnjGtAkWE8XrUzpRGRYEvE4GUh_DXIZZ-eQiLcw5V0.8ClS42WKv8sX1-UgEXCanJyp4Kt7TT01yLNUphtIpBY",
  "validationRecord": [
    {
      "url": "http://www.nutshot.es/.well-known/acme-challenge/JWnjGtAkWE8XrUzpRGRYEvE4GUh_DXIZZ-eQiLcw5V0",
      "hostname": "www.nutshot.es",
      "port": "80",
      "addressesResolved": [
        "134.0.14.130",
        "2001:8d8:100f:f000::2"
      ],
      "addressUsed": "2001:8d8:100f:f000::2",
      "addressesTried": []
    }
  ]
}

But if you access to the .well-known path you can see the content:

http://www.nutshot.es/.well-known/acme-challenge/JWnjGtAkWE8XrUzpRGRYEvE4GUh_DXIZZ-eQiLcw5V0

It is true that my client has an .htaccess file but it is avoided in the moment of requeting the let’s encrypt certificate.

My web server is (include version):

Apache/2.2.22 (Debian)

The operating system my web server runs on is (include version):

Debian 7

My hosting provider, if applicable, is:

CDmon

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

My question is: why the response says that cannot access to www.nutshot.es when it is not true??

Thank a lot!

Hola @jcordoba,

Indeed, it is true ;). The problem is that www.nutshot.es has 2 DNS records, one for A (IPv4) and one for AAAA (IPv6):

$ dig www.nutshot.es +short
134.0.14.130

$ dig www.nutshot.es aaaa +short
2001:8d8:100f:f000::2

In the log that you posted, you can see how Let's Encrypt is using the ipv6 address:

"addressesResolved": [
"134.0.14.130",
"2001:8d8:100f:f000::2"
],
"addressUsed": "2001:8d8:100f:f000::2",

Since a couple of weeks, Let's Encrypt will prefer to use IPv6 instead of IPv4 if both records are available but the web server is only configured to use IPv4.

Connecting to domain using IPv6:

$ curl -IkL6 www.nutshot.es
curl: (7) Failed to connect to www.nutshot.es port 80: Connection timed out 

Connecting to domain using IPv4:

$ curl -IkL4 www.nutshot.es
HTTP/1.1 301 Moved Permanently
Date: Mon, 29 May 2017 12:05:24 GMT
Server: Apache
Location: http://nutshot.es/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: es

HTTP/1.1 200 OK
Date: Mon, 29 May 2017 12:05:25 GMT
Server: Apache
Link: <http://nutshot.es/wp-json/>; rel="https://api.w.org/"
Link: <http://nutshot.es/>; rel=shortlink
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: es

So, or you configure the web server to accept request for the IPv6 address of domain www.nutshot.es or remove the AAAA record for www.nutshot.es.

Edit: Let's Encrypt uses a fallback to ipv4 when it can't use the ipv6 address but don't know what are the circumstances that could trigger this fallback, maybe @jsha could explain how this fallback works from their side.

Un saludo,
sahsanu
:

Thank you very very much @sahsanu !

Your answer helped me a lot! I can explain my client the issue. And I have more work to do.

Thanks a lot again, un saludo!

1 Like

Thanks for the extra info! Based on the authorization object pasted, I’ve added detail to https://github.com/letsencrypt/boulder/issues/2770.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.