The ACME server was probably unable to reach - but can from browser and elsewhere

[Acerby]

Just to document a problem I had in case someone else has the same problem:
I had an issue whereby the ACME server reported being unable to reach my domain but external browsers could and various http testing utilities referred to elsewhere in this site as example places to test responses also reported successful/correct responses.
It turned out that the problem I had was that the system hosting my domain had been upgraded to a dual stack whereby it responded to both ipv4 and ipv6 requests. It seems that in this case the ACME server found and choose to use ipv6 address (and not the ipv4 one as I was expecting), whereas most test sites and browsers were using ipv4. In this case whilst it was accessible via Ipv4 the path wasn't accessible via ipv6 due to firewall issue. Once I fixed the ipv6 firewall issue it all worked fine.
Hope that helps some people out there.

[cpu]

@Acerby I work on the server-side implementation of Let's Encrypt and the ACME Server. My expectation in this scenario is that the IPv6 request would fail but Boulder (the LE ACME server) should have retried with the IPv4 address.

Can you share the domain name(s) you were trying to renew? When you say: "the path wasn't accessible via ipv6 due to firewall issue" can you describe this with more detail? Was there a rule dropping all traffic? Was it a DROP or a DENY rule? What was the change you made at the firewall to fix the v6 route?

If you'd prefer we can troubleshoot on letsencrypt/boulder#2770 instead of here.

Thanks!