I cannot create a Letsencrypt certificate for a server with an IPv6 address only.
Hello @japs,
Let's Encrypt supports IPv6, indeed if IPv6 and IPv4 are available for a domain, Let's Encrypt will prefer IPv6.
I'm moving your post to Help category instead of Feature Requests so please, answer the questions in below form so the commnity could help with your current problem.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1 Like
[root@s20 japs]# cat /var/log/letsencrypt/letsencrypt.log
2021-03-08 15:53:49,194:DEBUG:urllib3.connectionpool:http://localhost:None
"GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-03-08 15:53:49,428:DEBUG:certbot._internal.main:certbot version: 1.13.0
2021-03-08 15:53:49,429:DEBUG:certbot._internal.main:Location of certbot
entry point: /snap/certbot/1042/bin/certbot
2021-03-08 15:53:49,429:DEBUG:certbot._internal.main:Arguments:
['--standalone', '--preconfigured-renewal']
2021-03-08 15:53:49,429:DEBUG:certbot._internal.main:Discovered plugins:
PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-03-08 15:53:49,444:DEBUG:certbot._internal.log:Root logging level set
at 20
2021-03-08 15:53:49,445:INFO:certbot._internal.log:Saving debug log to
/var/log/letsencrypt/letsencrypt.log
2021-03-08
15:53:49,446:DEBUG:certbot._internal.plugins.selection:Requested
authenticator standalone and installer None
2021-03-08 15:53:49,449:DEBUG:certbot._internal.plugins.selection:Single
candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at
0x7f38cd2215b0>
Prep: True
2021-03-08 15:53:49,450:DEBUG:certbot._internal.plugins.selection:Selected
authenticator <certbot._internal.plugins.standalone.Authenticator object
at 0x7f38cd2215b0> and installer None
2021-03-08 15:53:49,450:INFO:certbot._internal.plugins.selection:Plugins
selected: Authenticator standalone, Installer None
2021-03-08 15:54:00,981:DEBUG:acme.client:Sending GET request to
https://acme-v02.api.letsencrypt.org/directory.
2021-03-08 15:54:00,983:DEBUG:urllib3.connectionpool:Starting new HTTPS
connection (1): acme-v02.api.letsencrypt.org:443
2021-03-08
15:54:01,687:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443
"GET /directory HTTP/1.1" 200 658
2021-03-08 15:54:01,687:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"BKMXvCZryNk":
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService":
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-03-08 15:54:05,809:DEBUG:acme.client:Requesting fresh nonce
2021-03-08 15:54:05,809:DEBUG:acme.client:Sending HEAD request to
https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-03-08
15:54:05,973:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443
"HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-03-08 15:54:05,974:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0003w31hJzmFvbmYwjLHq4M-MPPH2G2ci2W8L31qtRw91Qg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
2021-03-08 15:54:05,974:DEBUG:acme.client:Storing nonce:
0003w31hJzmFvbmYwjLHq4M-MPPH2G2ci2W8L31qtRw91Qg
2021-03-08 15:54:05,974:DEBUG:acme.client:JWS payload:
b'{\n "contact": [\n "mailto:hostmaster@bistruphave.dk"\n ],\n
"termsOfServiceAgreed": true\n}'
2021-03-08 15:54:05,976:DEBUG:acme.client:Sending POST request to
https://acme-v02.api.letsencrypt.org/acme/new-acct:
{
"protected":
"eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogIjR2T0tKWEItZmpqSm5YMVhSc3I1X3Z6MmlwT0hwZzc2ektxN0Q0bi1IcEx3cEh4T1A2Q2ZDVm9HeXdlTzlKeFp6VWc5ck5XNTBhT1FwYlFqV2NnZlNxdmtwd1ZGSG1IR0dxT0FRWFdXdk5feFRLLVdWSzRZYUFKaFZ1cXowY3otYmNyQVJKM0R6czBCNURPYld1cnEtd1VQS1RHOEVCMGFxTm9RNjFZNVNUdHdPZ3ljdE1CaTBYMWl3Q0NXY19saVI0U21nN0R6ZkhhYXA1Y3JJY3c4QXVjRTVDZlJTdDVfSzRuWGFfQ1M4UlZxbDBWZlA0Um5iVzVwU3J3T3ZsSGR3U1FXSFpCQzN6Q3JrQnpXLVlLa2otcGR3MkRhUm9sRkFNV3BmTEJvNUlZQzVKVDBxTV9JWHBua1VSMWoxbEFJcElsOGJwSWpHSHR1N0d1a09DcDI5USIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAiMDAwM3czMWhKem1GdmJtWXdqTEhxNE0tTVBQSDJHMmNpMlc4TDMxcXRSdzkxUWciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0In0",
"signature":
"xpEUT8z1gMR0cr_bauGNKOptmC7mAHMQXPh_0rADNPCXbdYDLG0t7tvapycWKmAiDRsUjQF-2oumyAJD-66DrLmxo7x4nqBgCgtGdjLMRVHfw3bSi0pYRboS-YKsquhYYtWtSuU-5tCkVezpob8tCy6Mc7w2dBt1o1p7X8VTRzydJOxsl8Mx7-TnN2fXt4P0zARcko4YPQTni8EW6j5I4Rj5PM694S7Fvz-eo0BlevWnwDe25jROHkOnY4kckJLBzD_JcTXDllcreCHJxs9MdLPpzzVgw3HEnE5fASgvbexUutLdCRbFTPHTuHqNHHVZOALiXP5jvYn4wxotT8u3sg",
"payload":
"ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzpob3N0bWFzdGVyQGJpc3RydXBoYXZlLmRrIgogIF0sCiAgInRlcm1zT2ZTZXJ2aWNlQWdyZWVkIjogdHJ1ZQp9"
}
2021-03-08
15:54:06,152:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443
"POST /acme/new-acct HTTP/1.1" 201 577
2021-03-08 15:54:06,152:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 577
Connection: keep-alive
Boulder-Requester: 115029268
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index",
<https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service"
Location: https://acme-v02.api.letsencrypt.org/acme/acct/115029268
Replay-Nonce: 000339iPodVGGMLfhwxTWmgnSsjbg0fO7hMP2dpkml82fKY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"key": {
"kty": "RSA",
"n":
"4vOKJXB-fjjJnX1XRsr5_vz2ipOHpg76zKq7D4n-HpLwpHxOP6CfCVoGyweO9JxZzUg9rNW50aOQpbQjWcgfSqvkpwVFHmHGGqOAQXWWvN_xTK-WVK4YaAJhVuqz0cz-bcrARJ3Dzs0B5DObWurq-wUPKTG8EB0aqNoQ61Y5STtwOgyctMBi0X1iwCCWc_liR4Smg7DzfHaap5crIcw8AucE5CfRSt5_K4nXa_CS8RVql0VfP4RnbW5pSrwOvlHdwSQWHZBC3zCrkBzW-YKkj-pdw2DaRolFAMWpfLBo5IYC5JT0qM_IXpnkUR1j1lAIpIl8bpIjGHtu7GukOCp29Q",
"e": "AQAB"
},
"contact": [
"mailto:hostmaster@bistruphave.dk"
],
"initialIp": "2a06:4000:8076:1::4444",
"createdAt": "2021-03-08T14:54:06.065907838Z",
"status": "valid"
}
2021-03-08 15:54:06,153:DEBUG:acme.client:Storing nonce:
000339iPodVGGMLfhwxTWmgnSsjbg0fO7hMP2dpkml82fKY
2021-03-08 15:54:24,329:DEBUG:certbot.display.util:Notifying user: Account
registered.
2021-03-08 15:54:24,329:DEBUG:certbot._internal.main:Picked account:
<Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey
object at 0x7f38cd22a3d0>)>),
contact=('mailto:hostmaster@bistruphave.dk',), agreement=None,
status='valid', terms_of_service_agreed=None, only_return_existing=None,
external_account_binding=None),
uri='https://acme-v02.api.letsencrypt.org/acme/acct/115029268',
new_authzr_uri=None,
terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'),
41475563c7d100642e68148d51e98a93, Meta(creation_dt=datetime.datetime(2021,
3, 8, 14, 54, 6, tzinfo=<UTC>), creation_host='s20.bistruphave.dk',
register_to_eff='hostmaster@bistruphave.dk'))>
2021-03-08 15:54:24,330:DEBUG:certbot.display.ops:No installer, picking
names manually
2021-03-08 15:54:43,273:DEBUG:certbot.display.util:Notifying user:
Requesting a certificate for s20.bistruphave.dk
2021-03-08 15:54:43,374:DEBUG:certbot.crypto_util:Generating RSA key (2048
bits): /etc/letsencrypt/keys/0000_key-certbot.pem
2021-03-08 15:54:43,378:DEBUG:certbot.crypto_util:Creating CSR:
/etc/letsencrypt/csr/0000_csr-certbot.pem
2021-03-08 15:54:43,379:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value":
"s20.bistruphave.dk"\n }\n ]\n}'
2021-03-08 15:54:43,381:DEBUG:acme.client:Sending POST request to
https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected":
"eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE1MDI5MjY4IiwgIm5vbmNlIjogIjAwMDMzOWlQb2RWR0dNTGZod3hUV21nblNzamJnMGZPN2hNUDJkcGttbDgyZktZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature":
"f-gFQViftAQdRxrNvTYk72hYUM8Bc8eG6i1tXsyZaPOLxWG5puO0iBeqcDUdGESmT3LouVHMshVgLq5_X0lB7ybilnguEsT6U7ByInfBpPIiWD9oL2JkmMTfplBfAPZ2pZ7yFEVir-FzeS9FFKCAu-GYMkI8T3NEX450zF58w_cZeyfEXiNVKspjvqoO37JIL6ONo_J4AqZ-XGghaHEPtASwQoyGkupR1XNlZzn12nZV9emMmOLS-wTkjAE3hhjyZxy49Qa2gFnJ6FvmQXfLVsycIoE2UkFpCyWfiSV248ruZjfKxfpUgvfoAIM3VUgbPXmN-zhtt_iygthsdGkCNA",
"payload":
"ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInMyMC5iaXN0cnVwaGF2ZS5kayIKICAgIH0KICBdCn0"
}
2021-03-08
15:54:43,564:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443
"POST /acme/new-order HTTP/1.1" 201 340
2021-03-08 15:54:43,565:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 340
Connection: keep-alive
Boulder-Requester: 115029268
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location:
https://acme-v02.api.letsencrypt.org/acme/order/115029268/8329381429
Replay-Nonce: 0004QEXKc0SPbyIza02NozO1W0sAsn8N-que5sIqzZkTJnw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"status": "pending",
"expires": "2021-03-15T14:54:43Z",
"identifiers": [
{
"type": "dns",
"value": "s20.bistruphave.dk"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/11405354473"
],
"finalize":
"https://acme-v02.api.letsencrypt.org/acme/finalize/115029268/8329381429"
}
2021-03-08 15:54:43,565:DEBUG:acme.client:Storing nonce:
0004QEXKc0SPbyIza02NozO1W0sAsn8N-que5sIqzZkTJnw
2021-03-08 15:54:43,566:DEBUG:acme.client:JWS payload:
b''
2021-03-08 15:54:43,568:DEBUG:acme.client:Sending POST request to
https://acme-v02.api.letsencrypt.org/acme/authz-v3/11405354473:
{
"protected":
"eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE1MDI5MjY4IiwgIm5vbmNlIjogIjAwMDRRRVhLYzBTUGJ5SXphMDJOb3pPMVcwc0FzbjhOLXF1ZTVzSXF6WmtUSm53IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMTQwNTM1NDQ3MyJ9",
"signature":
"4GeAyrBa0bEZxDXRtnudxdjQFSdPiAey6F6xxIvrEl4kJbyx7KGj2SbRrI9wOJ-fxNy56yRZIXe6S2RmOgZh0nyLZ3H2GmY5qPQ09hbwfgA7e1RpgHbArekfFhlckIczx0LFWaOOEwmBogzkzuHY5bO1X1G4gUwYGWsihFM1WsV3VHTONbgPPojf5_BPYcYwT10QoRG7aKZ2ilQ9jlKK6K_e3crHlr6NifZomoCn1JIIY84kwRbjN2LgtDmBqPwDvnOQBlvONRcSJ44GP8Lvn0gzY51K7Bqghob5ncppImlRIbbb5LLm6JSUSAgdt7j0d8opcOXhIyVAFCwn54lYAA",
"payload": ""
}
2021-03-08
15:54:43,737:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443
"POST /acme/authz-v3/11405354473 HTTP/1.1" 200 799
2021-03-08 15:54:43,737:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 115029268
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00031RLMnEi7BhH-p-H1wUuaxE-MEvmtHZVt88iku_fEfVY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "s20.bistruphave.dk"
},
"status": "pending",
"expires": "2021-03-15T14:54:43Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url":
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/11405354473/YneYbA",
"token": "KbIpf3LmW4WUSDpu7EIJAYR1KHOxTbYAYIMBRBljAHQ"
},
{
"type": "dns-01",
"status": "pending",
"url":
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/11405354473/1ONHDQ",
"token": "KbIpf3LmW4WUSDpu7EIJAYR1KHOxTbYAYIMBRBljAHQ"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url":
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/11405354473/doDvGw",
"token": "KbIpf3LmW4WUSDpu7EIJAYR1KHOxTbYAYIMBRBljAHQ"
}
]
}
2021-03-08 15:54:43,737:DEBUG:acme.client:Storing nonce:
00031RLMnEi7BhH-p-H1wUuaxE-MEvmtHZVt88iku_fEfVY
2021-03-08 15:54:43,738:INFO:certbot._internal.auth_handler:Performing the
following challenges:
2021-03-08 15:54:43,738:INFO:certbot._internal.auth_handler:http-01
challenge for s20.bistruphave.dk
2021-03-08 15:54:43,738:DEBUG:acme.standalone:Successfully bound to :80
using IPv6
2021-03-08 15:54:43,738:DEBUG:acme.standalone:Certbot wasn't able to bind
IPv6 socket implementations.
2021-03-08 15:54:43,740:INFO:certbot._internal.auth_handler:Waiting for
verification...
2021-03-08 15:54:43,740:DEBUG:acme.client:JWS payload:
b'{}'
2021-03-08 15:54:43,742:DEBUG:acme.client:Sending POST request to
https://acme-v02.api.letsencrypt.org/acme/chall-v3/11405354473/YneYbA:
{
"protected":
"eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE1MDI5MjY4IiwgIm5vbmNlIjogIjAwMDMxUkxNbkVpN0JoSC1wLUgxd1V1YXhFLU1Fdm10SFpWdDg4aWt1X2ZFZlZZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xMTQwNTM1NDQ3My9ZbmVZYkEifQ",
"signature":
"D6j-LWryEVxS8wlA_MLa1k0Zr9e6dXCfMBUT3dh3RVxRKVxalkhFXn1wL1QgRlmIOlm72hkk-Bc5kaY-QhMZdBpaDtKIhkoXm4uDGqv-9xZsYXGRVNtittWhY2mrfCLaBQkpsB__kGdG2cB5ROCQEgmF4ldJ_9jxxSfPh-fY5SHlYGD8B-JP_r2rX_dor03n3cuQLatsxRAhoyIPj-VX6jSO38LAu7EDcDPs9IZeV780UfGznLQ12PtRP1mhEQeiYpqFwtPTeTNx-rE6PQTLpjyGAdWEH671Sbn7zrxhbm2MwTqs3f1ZBjTZE4E9YpO18dO2zCiL23lhFW69oGrIyg",
"payload": "e30"
}
2021-03-08
15:54:43,908:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443
"POST /acme/chall-v3/11405354473/YneYbA HTTP/1.1" 200 186
2021-03-08 15:54:43,908:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 115029268
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index",
<https://acme-v02.api.letsencrypt.org/acme/authz-v3/11405354473>;rel="up"
Location:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/11405354473/YneYbA
Replay-Nonce: 0004K6rGi6E1AFQ7ocQFSdXF4B3cS3gDsXneUHxwkwt5XEg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"type": "http-01",
"status": "pending",
"url":
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/11405354473/YneYbA",
"token": "KbIpf3LmW4WUSDpu7EIJAYR1KHOxTbYAYIMBRBljAHQ"
}
2021-03-08 15:54:43,908:DEBUG:acme.client:Storing nonce:
0004K6rGi6E1AFQ7ocQFSdXF4B3cS3gDsXneUHxwkwt5XEg
2021-03-08 15:54:44,690:DEBUG:acme.standalone:2600:3000:2710:200::20 - -
Incoming request
2021-03-08 15:54:44,691:DEBUG:acme.standalone:2600:3000:2710:200::20 - -
Serving HTTP01 with token 'KbIpf3LmW4WUSDpu7EIJAYR1KHOxTbYAYIMBRBljAHQ'
2021-03-08 15:54:44,691:DEBUG:acme.standalone:2600:3000:2710:200::20 - -
"GET
/.well-known/acme-challenge/KbIpf3LmW4WUSDpu7EIJAYR1KHOxTbYAYIMBRBljAHQ
HTTP/1.1" 200 -
2021-03-08
15:54:44,798:DEBUG:acme.standalone:2600:1f14:804:fd02:1be3:bfea:ffcc:a21f
- - Incoming request
2021-03-08
15:54:44,798:DEBUG:acme.standalone:2600:1f14:804:fd02:1be3:bfea:ffcc:a21f
- - Serving HTTP01 with token
'KbIpf3LmW4WUSDpu7EIJAYR1KHOxTbYAYIMBRBljAHQ'
2021-03-08
15:54:44,798:DEBUG:acme.standalone:2600:1f14:804:fd02:1be3:bfea:ffcc:a21f
- - "GET
/.well-known/acme-challenge/KbIpf3LmW4WUSDpu7EIJAYR1KHOxTbYAYIMBRBljAHQ
HTTP/1.1" 200 -
2021-03-08 15:54:44,910:DEBUG:acme.client:JWS payload:
b''
2021-03-08 15:54:44,911:DEBUG:acme.client:Sending POST request to
https://acme-v02.api.letsencrypt.org/acme/authz-v3/11405354473:
{
"protected":
"eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE1MDI5MjY4IiwgIm5vbmNlIjogIjAwMDRLNnJHaTZFMUFGUTdvY1FGU2RYRjRCM2NTM2dEc1huZVVIeHdrd3Q1WEVnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMTQwNTM1NDQ3MyJ9",
"signature":
"sd6yttFyunJd4REynkgOJ77voBOXnRveDisKWrEtA5kQ8bQ1uV2KuZ71HoUdPgl56Q2bk3Z_7dIJT7-YeF7YJjzm5TO8UlDQNerO59FqAIrp23go2rD6DcCQganTtAL_TvSSyfl04Jx-wZ3HXE9IOpVx5bFhiLB4NjH_FEIGk2UkA6NSGA1WmG53I_j3cJofN7UP7SBmNoxRXonyTK5T65xbHKN2uvKEZCCL7QfBrsadGKYdEbGgprE5hfXiS6yTgWFDjZPvGmgx2Qoj5jUBTz_AZd4H_pPpYQsIR4eGMCv62R8v1LHH7x3CoQdcsAXCLPH3b3oTk79l8-rKDUPhjA",
"payload": ""
}
2021-03-08
15:54:45,080:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443
"POST /acme/authz-v3/11405354473 HTTP/1.1" 200 1002
2021-03-08 15:54:45,080:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1002
Connection: keep-alive
Boulder-Requester: 115029268
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0003MkUzA3ZYndlDISi5WU4wVEAGlB_F2qIvsimV1YKAvI4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "s20.bistruphave.dk"
},
"status": "invalid",
"expires": "2021-03-15T14:54:43Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "During secondary validation: DNS problem: NXDOMAIN
looking up A for s20.bistruphave.dk - check that a DNS record
exists for this domain",
"status": 400
},
"url":
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/11405354473/YneYbA",
"token": "KbIpf3LmW4WUSDpu7EIJAYR1KHOxTbYAYIMBRBljAHQ",
"validationRecord": [
{
"url":
"http://s20.bistruphave.dk/.well-known/acme-challenge/KbIpf3LmW4WUSDpu7EIJAYR1KHOxTbYAYIMBRBljAHQ",
"hostname": "s20.bistruphave.dk",
"port": "80",
"addressesResolved": [
"2a06:4000:8076:1::4444"
],
"addressUsed": "2a06:4000:8076:1::4444"
}
]
}
]
}
2021-03-08 15:54:45,081:DEBUG:acme.client:Storing nonce:
0003MkUzA3ZYndlDISi5WU4wVEAGlB_F2qIvsimV1YKAvI4
2021-03-08 15:54:45,081:WARNING:certbot._internal.auth_handler:Challenge
failed for domain s20.bistruphave.dk
2021-03-08 15:54:45,081:INFO:certbot._internal.auth_handler:http-01
challenge for s20.bistruphave.dk
2021-03-08 15:54:45,081:DEBUG:certbot._internal.reporter:Reporting to
user: The following errors were reported by the server:
Domain: s20.bistruphave.dk
Type: dns
Detail: During secondary validation: DNS problem: NXDOMAIN looking up A
for s20.bistruphave.dk - check that a DNS record exists for this domain
2021-03-08 15:54:45,082:DEBUG:certbot._internal.error_handler:Encountered
exception:
Traceback (most recent call last):
File
"/var/lib/snapd/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/auth_handler.py",
line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File
"/var/lib/snapd/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/auth_handler.py",
line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-03-08 15:54:45,082:DEBUG:certbot._internal.error_handler:Calling
registered functions
2021-03-08 15:54:45,083:INFO:certbot._internal.auth_handler:Cleaning up
challenges
2021-03-08
15:54:45,083:DEBUG:certbot._internal.plugins.standalone:Stopping server at
:::80...
2021-03-08 15:54:45,300:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/1042/bin/certbot", line 8, in <module>
sys.exit(main())
File
"/var/lib/snapd/snap/certbot/1042/lib/python3.8/site-packages/certbot/main.py",
line 15, in main
return internal_main.main(cli_args)
File
"/var/lib/snapd/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/main.py",
line 1421, in main
return config.func(config, plugins)
File
"/var/lib/snapd/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/main.py",
line 1301, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname,
lineage)
File
"/var/lib/snapd/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/main.py",
line 134, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File
"/var/lib/snapd/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/client.py",
line 441, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File
"/var/lib/snapd/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/client.py",
line 374, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data,
self.config.allow_subset_of_names)
File
"/var/lib/snapd/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/client.py",
line 421, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File
"/var/lib/snapd/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/auth_handler.py",
line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File
"/var/lib/snapd/snap/certbot/1042/lib/python3.8/site-packages/certbot/_internal/auth_handler.py",
line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-03-08 15:54:45,300:ERROR:certbot._internal.log:Some challenges have
failed.
[root@s20 japs]#Interesting. The main validation seemed to work, but the secondary validation found an NXDOMAIN when looking up A (where I'm guessing it should be something like NOERROR if the name exists but there are just no A records for it?)
Can you double-check that all your authoritative DNS servers give consistent answers for both A and AAAA for that domain? I don't see any problems in my quick checking but I'm no DNS expert.
There's another post recently with a secondary validation error that doesn't seem to make much sense either. I don't know if that's enough to raise the red flag and say there's some consistent problem, though.
Have you just tried once, or is this problem repeatedly happening?
As I said from the beginning:
Server with IPv6 AAAA record only
So I have no A record.
I got the following output in addition to the logfile:
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: s20.bistruphave.dk
Type: dns
Detail: During secondary validation: DNS problem: NXDOMAIN looking
up A for s20.bistruphave.dk - check that a DNS record exists for
this domain
Yes, you don't have an A record, but the only way for the Let's Encrypt servers to know that would be to query your DNS servers for it. They say they got an "NXDOMAIN" back, which I don't think is the right response for "There's no A record but there are other records", they shouldn't be getting an error but just zero A records returned.
Well, even if there might be an issue with OPs DNS, the error is at least incomplete: now there's room for speculation if there is or isn't a resolvable AAAA record.
It seems Boulder only presents the "A" record as failing when both A and AAAA have failed. See the following code:
To me, this is very confusing, especially in situations like this: NXDOMAIN is expected when a host only has an AAAA record.
Edit: And reported on Github: "NXDOMAIN looking up A" error message confusing for IPv6 only hosts · Issue #5319 · letsencrypt/boulder · GitHub
2 Likes
Here you have the answers from my two authoritative DNS servers:
; <<>> DiG 9.16.12 <<>> s20.bistruphave.dk a @10.254.4.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38195
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 02786ce9d4fb318b0100000060465da27cf1c9193e8ba11f (good)
;; QUESTION SECTION:
;s20.bistruphave.dk. IN A
;; AUTHORITY SECTION:
bistruphave.dk. 7200 IN SOA ns1.bistruphave.dk.
hostmaster.bistruphave.dk. 2020121764 7200 3600 604800 86400
;; Query time: 1 msec
;; SERVER: 10.254.4.18#53(10.254.4.18)
;; WHEN: man mar 08 18:23:46 CET 2021
;; MSG SIZE rcvd: 126
; <<>> DiG 9.16.12 <<>> s20.bistruphave.dk a @10.254.5.19
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7165
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 72860b801a82d0380100000060465dacd9474215b98af9a8 (good)
;; QUESTION SECTION:
;s20.bistruphave.dk. IN A
;; AUTHORITY SECTION:
bistruphave.dk. 7200 IN SOA ns1.bistruphave.dk.
hostmaster.bistruphave.dk. 2020121764 7200 3600 604800 86400
;; Query time: 45 msec
;; SERVER: 10.254.5.19#53(10.254.5.19)
;; WHEN: man mar 08 18:23:56 CET 2021
;; MSG SIZE rcvd: 126
Does your DNS have some kind of regional blocking firewall present?
1 Like
It looks to me like you have three authoritative DNS servers.
https://dnsviz.net/d/s20.bistruphave.dk/servers/
But in my testing it does look like they each return NOERROR for A queries and a normal response for AAAA queries. I am a bit baffled as to what the secondary validation servers aren't seeing. Again, is this something reproducible across multiple attempts?
1 Like
Does your DNS have some kind of regional blocking firewall present?
No
Could it be a faulty IPv6 routing somewhere in the global internet ?
Certainly anything's possible, which is why I was asking how repeatable the problem was. For what it's worth, I could connect to your DNS servers (both IPv4 & IPv6) from a server in AWS's us-east-1 region, and the Let's Encrypt "secondary validation" servers are I believe hosted at AWS (though I don't know from what regions). I wouldn't expect a failure to contact the DNS servers to result in an error message that said "NXDOMAIN", though, but @Osiris seems to think the error messages are misleading regardless.
No. If a host has an AAAA (so the domain name exists in the zone), but not an A, a NXDOMAIN is wrong. Must be an empty answer NoError / SOA.
2 Likes
This was the first time. I have just tried a second time, and now it works
correctly:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/s20.bistruphave.dk/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/s20.bistruphave.dk/privkey.pem
Your certificate will expire on 2021-06-06. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run "certbot renew"
1 Like
I think @Osiris' analysis here is very good. I suspect that the AAAA query timed out (for unknown reasons), but the A query returned NXDOMAIN. If there's an error for the A query and for the AAAA query, Boulder only gives you an error for the A query.
@JuergenAuer is also correct that the server should be returning NOERROR with an empty result set for the A record. NXDOMAIN means "There is Really Nothing Underneath" and resolvers may choose to use that to skip other queries. So for instance if a resolver receives NXDOMAIN for the A record, it might conclude it doesn't need to finish the AAAA query it started around the same time. I don't know if Unbound does this particular optimization. I suspect not.
Thanks for filing the GitHub issue, @Osiris! I agree it would be good to surface both errors, if the AAAA error is different than the A error.
1 Like
Are you referring to the queries from Boulder to Unbound, or from Unbound to the authoritative DNS? Since my testing of the authoritative DNS servers here showed only NOERROR from doing A queries.
1 Like
@JuergenAuer Ah, I didn't know that. I thought it was RR specific. So a DNS server could perfectly serve an AAAA record for a certain host, but give a NXDOMAIN error for a non-existing A RR. However, I understand now (and it makes totally sense looking at the error name) this isn't the case. Thanks!
1 Like
If there was a timeout (purely speculating here) it could have been Boulder->Unbound or Unbound->authoritative. However, the NXDOMAIN we see in the error message has to have come from the authoritative server. Unbound wouldn't invent an NXDOMAIN from whole cloth.
The plot thickens… The NXDOMAIN is very strange.
It doesn't: https://unboundtest.com/m/A/s20.bistruphave.dk/75U4HZFO
1 Like
I see that this is the first certificate for the domain: crt.sh | s20.bistruphave.dk. It's possible that it was newly created in the main zone, and at the time of the first error here, its creation hadn't propagated to the authoritative secondaries.
1 Like