How does the ipv6 support of the CA server work?
My server has both ipv4 and ipv6 enabled.
My client only listens at ipv4, sometimes, the Letsencrypt CA server is only able to resolve my ipv6 address, and connect to my ipv6 address to validate my domain. I got such error message:
{
"type": "tls-sni-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:connection",
"detail": "Failed to connect to [2607:xxxxx:xxxx:xxxx::1]:443 for TLS-SNI-01 challenge",
"status": 400
},
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/bbtWs_TDSNIlLJmRwle1BhcHE4let5Cfpf_snhNWI9Q/16278271",
"token": "rBsjGPhW54ddlqkUgkbMZZ288e7bygmxpPzaT78OIdg",
"keyAuthorization": "rBsjGPhW54ddlqkUgkbMZZ288e7bygmxpPzaT78OIdg.bUg9P6PAyURnYM3tuIQzYIIs1cRkw8RO-gTFX0lUXTY",
"validationRecord": [
{
"hostname": "xxxxxx.xxxxxx.xxxxxx",
"port": "443",
"addressesResolved": [
"2607:xxxx:xxxx:xxxx::1"
],
"addressUsed": "2607:xxxxx:xxx:xxx::1"
}
]
}
Please take a look at the addressesResolved
field above. Only my ipv6 address is there.
The error only happens at very little chance. most of the time, it works well with my ipv4.
This is a working case:
{
"type": "tls-sni-01",
"status": "valid",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/B97f6loM6NRFpmMJsygziFZx_tZ6-XfT1ocravZEeGI/16278267",
"token": "QIfva0mzWqBSBucd3eeNwV8x-yi3zKP_CfwKJeTfZa0",
"keyAuthorization": "QIfva0mzWqBSBucd3eeNwV8x-yi3zKP_CfwKJeTfZa0.bUg9P6PAyURnYM3tuIQzYIIs1cRkw8RO-gTFX0lUXTY",
"validationRecord": [
{
"hostname": "xxxxxx.xxxxxx.xxxxxx",
"port": "443",
"addressesResolved": [
"198.xxx.xxx.xxx",
"2607:xxx:xxx:xxx::1"
],
"addressUsed": "198.xxx.xxx.xxx"
}
]
}
How does the CA server determine whether to use ipv4 or ipv6 address to validate the domain ?