Ruby acme-client 0.5.0 - Some Certificates Do Not Renew Due to IPV6 Domains


I am the backend developer of the hosting team in CDmon and we make possible for our clients to install Let’s Encrypt certificates from our self-made Control Panel. We use ruby and acme-client 0.5.0 version.

We already have around 4000 certificates requested successfully but we have one with some difficults…

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "Could not connect to",
    "status": 400
  "uri": "",
  "token": "JWnjGtAkWE8XrUzpRGRYEvE4GUh_DXIZZ-eQiLcw5V0",
  "keyAuthorization": "JWnjGtAkWE8XrUzpRGRYEvE4GUh_DXIZZ-eQiLcw5V0.8ClS42WKv8sX1-UgEXCanJyp4Kt7TT01yLNUphtIpBY",
  "validationRecord": [
      "url": "",
      "hostname": "",
      "port": "80",
      "addressesResolved": [
      "addressUsed": "2001:8d8:100f:f000::2",
      "addressesTried": []

But if you access to the .well-known path you can see the content:

It is true that my client has an .htaccess file but it is avoided in the moment of requeting the let’s encrypt certificate.

My web server is (include version):

Apache/2.2.22 (Debian)

The operating system my web server runs on is (include version):

Debian 7

My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

My question is: why the response says that cannot access to when it is not true??

Thank a lot!

Hola @jcordoba,

Indeed, it is true ;). The problem is that has 2 DNS records, one for A (IPv4) and one for AAAA (IPv6):

$ dig +short

$ dig aaaa +short

In the log that you posted, you can see how Let’s Encrypt is using the ipv6 address:

"addressesResolved": [
"addressUsed": "2001:8d8:100f:f000::2",

Since a couple of weeks, Let’s Encrypt will prefer to use IPv6 instead of IPv4 if both records are available but the web server is only configured to use IPv4.

Connecting to domain using IPv6:

$ curl -IkL6
curl: (7) Failed to connect to port 80: Connection timed out 

Connecting to domain using IPv4:

$ curl -IkL4
HTTP/1.1 301 Moved Permanently
Date: Mon, 29 May 2017 12:05:24 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: es

HTTP/1.1 200 OK
Date: Mon, 29 May 2017 12:05:25 GMT
Server: Apache
Link: <>; rel=""
Link: <>; rel=shortlink
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Language: es

So, or you configure the web server to accept request for the IPv6 address of domain or remove the AAAA record for

Edit: Let’s Encrypt uses a fallback to ipv4 when it can’t use the ipv6 address but don’t know what are the circumstances that could trigger this fallback, maybe @jsha could explain how this fallback works from their side.

Un saludo,

Thank you very very much @sahsanu !

Your answer helped me a lot! I can explain my client the issue. And I have more work to do.

Thanks a lot again, un saludo!

1 Like

Thanks for the extra info! Based on the authorization object pasted, I’ve added detail to

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.