Verify a multihomed host via http-01


#1

Hello,

I like to create a certificate for my Laptop which has one hostname assisiated with two
AAAA records in DNS. One address is used when connected via eth0 the second when connected via wlan0. Usually one address is online, the other offline.
Browsers, curl, postfix are able to connect to my laptop by the DNS name. They don’t care if one address is unreachable and take the next.
But in this setup acme-tiny failed ( which ist not the clients fault, I assume)

the answer from LE contain:

u’hostname’: u’multihomed.example.org’’,
u’addressesResolved’: [u’2001:db8::1:1’, u’2001:db8::2:1’],
u’addressUsed’: u’2001:db8::1:1’,
u’port’: u’80’,

u’detail’: u’Could not connect to multihomed.example.org

while the request /to/ LE use a temporary ipv6 address from network #2 LE select the address in network #1 for verification and that one is just offline :-/

It looks like LetsEncrypt does not try to connect to the next possible address if one fail.
Is that intentional?

Andreas


#2

Correct. I’d suggest setting both to the connection you are using whilst obtaining the certificate to guarantee success.


#3

Another alternative for multihomed hosts will be to use the DNS challenge type (where you prove control of the domain by modifying its DNS records). In that case, it doesn’t matter how many IP addresses the host has or whether they all point to the same physical server, as long as the DNS zone as seen by the certificate authority has been updated with the requested entry.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.