We have timeouts on challenges for new or certificate renewals since a week.
After more investigation, it seems that we have a lot of packet loss over our cogent ipv6 adresses (for example with a mtr to 2600:3000:2710:200::1d)
We have no packet loss with this cogent network to another ipv6 network.
Once we remove the AAAA entry in the DNS, we don’t have timeouts anymore. But that’s not a solution, as we need ipv6 for other things.
Are you aware about a possible peering problem between letsencrypt’s ipv6 network and cogent’s ipv6 ? We also opened a ticket about this problem at Cogent.
It seems that you have a problem with cogent. Here is their answer
the destination prefix is unfortunately heavly flapping via BGP, seems the origin has some issues on there side.
The flapping of the route causing that we get several times a second new routing informations for this destination and this casues the re-routing you see and the reported packetloss.
It may be helpful if you can disclose what IPv6 source address you would be attempting access from. Are you using Cogent IPv6 space or advertising your own space into Cogent?
As an aside – and completely unrelated to LetsEncrypt – if you’re offering an IPv6 service up to the public, being single-homed on Cogent IPv6 is not the best option.
Cogent’s long history of peering wars with Hurricane Electric essentially means that there’s an IPv6 permanent net split. Those single-homed on Cogent or Hurricane Electric can’t reach others on the opposite side of that divide.
In short, if ubiquitous IPv6 reach is essential to you, you should BGP multi-home with both Cogent and Hurricane Electric or consider single-home setup with someone who bridges the divide. In the US, NTT USA, for example. (Or lots of others.)
LE Ops here. Cogent reached out to ViaWest last week and we traced the routes back to the IP they provided from the VA and there didn’t seem to be any major issues until we were several hops into the cogent network. I’ve pushed ViaWest again today to find out their resolution of the inquiry.
We did not have any issues with the VA reaching the IP Cogent provided for testing, but we weren’t trying to maintain a tcp session. At least for traceroute/mtr the lossy points were inside Cogent’s network.
I’ll paste those results here for reference:
Summary
Here’s the trace from the firewall:
trace to 2a02:29e8:700:0:1::90 (2a02:29e8:700:0:1::90), 30 hops max, 40/8 byte payload/paddata
1 2600:3000:2700:1073::1 (2600:3000:2700:1073::1) 0.474 ms 0.600 ms 0.329 ms
2 2600:3000:3:720::1 (2600:3000:3:720::1) 1.146 ms 0.864 ms 0.632 ms
3 2600:3000:3:38::1 (2600:3000:3:38::1) 0.778 ms 0.749 ms 0.735 ms
4 2600:3002:2:1b0::2 (2600:3002:2:1b0::2) 1.289 ms 1.161 ms 1.093 ms
5 2001:1900:2100::1c91 (ae6-681.edge2.Chicago2.Level3.net) 11.832 ms 11.815 ms 11.835 ms
6 * * *
7 2001:550:3::39 (be3036.ccr41.lax04.atlas.cogentco.com) 29.340 ms 29.290 ms 29.231 ms
8 * * *
9 * 2001:550:0:1000::9a36:2da1 (be2932.ccr32.phx01.atlas.cogentco.com) 40.096 ms *
10 * * *
11 * 2001:550:0:1000::9a36:1ddd (be2927.ccr41.iah01.atlas.cogentco.com) 41.312 ms *
12 * * *
13 * * *
14 * * *
15 2001:550:0:1000::9a36:1eba (be2317.ccr41.lon13.atlas.cogentco.com) 137.086 ms * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 2001:978:2:e::1:2 (r7-eth-1-1-0-TLL-VS.ee.zonedata.net) 197.609 ms 197.527 ms 197.600 ms
27 2a02:29e8:bce:0:7:1:0:2 (r1-eth-3-2-0-TLL-Linx.ee.zonedata.net) 206.619 ms 197.674 ms 197.758 ms
28 2a02:29e8:700:0:1::90 (data.zone.eu) 197.394 ms 197.527 ms 197.455 ms
ICMP outbound is blocked from the VA itself, but I can reach port 80 on that host from the VA and the following mtr uses tcp over 80 instead of ICMP ECHO:
I’m not in the USA, but in France, so I’m not affected by the peering war between Cogent and HE. Cogent works very well with all the ISP and service providers here.
I’m experiencing IPv6 verification issues as well. On HE.net IPv6 tunnel, IPv6 availability verified from another site.Apparently broken from the LE servers.
from the acme authz response (only ipv6 address not modified)