Learn about Centmin Mod LEMP Stack today
Register Now

SSL Letsencrypt vhost will fail to get letsencrypt certificate if it has A and AAAA records

Discussion in 'Domains, DNS, Email & SSL Certificates' started by happyhacking, Jan 6, 2022.

  1. happyhacking

    happyhacking New Member

    28
    7
    3
    Apr 23, 2021
    Ratings:
    +15
    Local Time:
    2:23 AM
    1.19.10
    MariadDB 10.4.18
    Adding a vhost through option 2 on centmin menu will fail to get a valid certificate if FQDN has A (IPv4) and AAAA (IPv6) records.

    Letsencrypt states it supports IPv6 but the following contradicts that:

    When making outbound domain validation requests for a domain that has both IPv4 and IPv6 addresses (e.g. both A and AAAA records) Let’s Encrypt will always prefer the IPv6 addresses for the initial connection. If the IPv6 connection fails at the network level (e.g. there is a timeout) and there are IPv4 addresses available then we will retry the request with one of the IPv4 addresses.

    Since the ACME client only configures the IPv4 server to respond to the challenge domain validation will fail when the IPv6 server is used.

    There is not a way to request Let’s Encrypt prefer IPv4, you must fix the misconfiguration.


    The questions are:
    There is any way to allow the ACME client to listen on IPv6 port too ?

    There is any way to block at the CSF Firewall the Letsencrypt servers only for IPv6 ?
    There will be any other trick to avoid deleting those AAAA records ?


    Its clear to me that deleting AAAA records will cause everything to work as usual, but in my case many domains use both the A and AAAA records, and deleting them to just get certificate and re adding them later on will cause the same problem when a reissue is required.
     
  2. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    6:23 PM
    Nginx 1.21.x
    MariaDB 10.x
    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors.

    Centmin Mod Nginx vhost configs only by default set up IPv4 listen directive. If you use IPv6 and AAAA DNS records for Centmin Mod Nginx domains, make sure you manually add the relevant Nginx IPv6 listen directive as per official Centmin Mod FAQ item 34.

    If you don't have correct Nginx IPv6 listen directive manually setup, then IPv6 requests to the domain won't get routed to the correct Nginx vhost site.
     
  3. happyhacking

    happyhacking New Member

    28
    7
    3
    Apr 23, 2021
    Ratings:
    +15
    Local Time:
    2:23 AM
    1.19.10
    MariadDB 10.4.18
    Thanx for your instructions, you are correct, we must change the directive from 80/443 to [::]:80/[::]:443 on vhost conf files so the ipv6 validation would be succesfull. The thing is that the vhost conf files are created just before the letsencrypt validation and there is no way to modify it until the routine ends.

    Then my suggestion would be maybe to add or reuse a routine that determines if the domain has AAAA records and if it does, add "[::]:" to vhost conf files so the LE IPv6 validation should work.
     
  4. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,947
    Local Time:
    6:23 PM
    Nginx 1.21.x
    MariaDB 10.x
    Yeah, that's one thing I have been thinking about implementing.

    But in the past, I and others have experienced IPv6 network connectivity issues on some web hosts which require contacting the web host to fix. So every time IPv6 connectivity issues came up, sites would go down or have issues. Or if they did add the AAAA record it may be to the wrong formatted IPv6 address in their DNS and result in the same issues.

    Or if they move servers or copy and transfer over an Nginx vhost with IPv6 listeners to a new server that doesn't have IPv6 networking support. Might need to update ngxstop, ngxstart, ngxrestart and or service systemd files to do some checks at Nginx vhost level to determine if a web server supports IPv6 and auto changes the listener to support IPv6 or not. Or test to see if adding IPv6 listener to a non-IPv6 system is okay to do.