SSL Letsencrypt vhost will fail to get letsencrypt certificate if it has A and AAAA records

Adding a vhost through option 2 on centmin menu will fail to get a valid certificate if FQDN has A (IPv4) and AAAA (IPv6) records.

Letsencrypt states it supports IPv6 but the following contradicts that:

When making outbound domain validation requests for a domain that has both IPv4 and IPv6 addresses (e.g. both A and AAAA records) Let’s Encrypt will always prefer the IPv6 addresses for the initial connection. If the IPv6 connection fails at the network level (e.g. there is a timeout) and there are IPv4 addresses available then we will retry the request with one of the IPv4 addresses.

---

Since the ACME client only configures the IPv4 server to respond to the challenge domain validation will fail when the IPv6 server is used.

There is not a way to request Let’s Encrypt prefer IPv4, you must fix the misconfiguration.

The questions are:
There is any way to allow the ACME client to listen on IPv6 port too ?
There is any way to block at the CSF Firewall the Letsencrypt servers only for IPv6 ?
There will be any other trick to avoid deleting those AAAA records ?

Its clear to me that deleting AAAA records will cause everything to work as usual, but in my case many domains use both the A and AAAA records, and deleting them to just get certificate and re adding them later on will cause the same problem when a reissue is required.

 

Thanx for your instructions, you are correct, we must change the directive from 80/443 to [::]:80/[::]:443 on vhost conf files so the ipv6 validation would be succesfull. The thing is that the vhost conf files are created just before the letsencrypt validation and there is no way to modify it until the routine ends.

Then my suggestion would be maybe to add or reuse a routine that determines if the domain has AAAA records and if it does, add "[::]:" to vhost conf files so the LE IPv6 validation should work.