IPv6 doesn't work

[ThomasWaldmann]

$ sudo ./venv/bin/letsencrypt -e -d myname.nsupdate.info -t
INFO:root:Generating key: /etc/apache2/ssl/key-letsencrypt_17.pem
INFO:root:Performing the following challenges:
INFO:root: DVSNI challenge for name myname.nsupdate.info.
INFO:root:Ready for verification...
INFO:root:Waiting for 3 seconds...
CRITICAL:root:Expected message (authorization) not received
CRITICAL:root:Failed Authorization procedure - cleaning up challenges
INFO:root:Cleaning up challenges for myname.nsupdate.info

tw@tux:~/w/lets-encrypt-preview$ host myname.nsupdate.info
myname.nsupdate.info has IPv6 address 2002:xxxx:xxxx:xxxx:xxxx:xxff:fexx:xxxx (only v6 in DNS!)

tw@tux:~/w/lets-encrypt-preview$ host letsencrypt-demo.org
letsencrypt-demo.org has address 54.183.196.250 (only v4 in DNS!)

note: myname.nsupdate.info has v4 and v6 connectivity.

So, not sure what's going wrong, but I think it would be good if you added a AAAA record for the ACME server (and also v6 connectivity in case it is not yet there).

Same thing worked if I put an A record into DNS.

[ThomasWaldmann]

BTW, if your hoster does not support IPv6 directly, but you have root access to the (virtual) machine, you can easily set up IPv6 via a tunnel: https://tunnelbroker.net/

[schoen]

John Gilmore asked that we test for support for IPv6-only hosts once Boulder is interoperable (i.e., a host which only has an AAAA record and not an A record). (I think that's potentially a further case from the one reported here.) I believe John is interested in the ability to get a cert on a web server that has no IPv4 service at all, or at the very least no associated A record that can be used to make an inbound TCP connection over IPv4.

[ghost]

+1 - I'm running many machines w/ ipv6 only.

[cf-mthoenes]

+1 - Also running many IPv6-only hosts

[h4ck3rm1k3]

I have only ipv6 working resolve but somehow I was able to get an cert. I dont know how I did it, is there any record of what I did anywhere?

[enygren]

+1 - I also have some IPv6-only hosts. Some hosting providers are also now proving lower-cost offerings for IPv6-only.

[thevilledev]

+1 - many, many IPv6-only hosts and no letsencrypt.

[pde]

Blocked by: letsencrypt/boulder#593

[Namsep]

Here IPv6 only webservers, can't validate the DNS thus no certificate.

[FliesLikeABrick]

I have a number of IPv6-only environments that LetsEncrypt would allow me to deploy much-needed security to. Unfortunately this issue is preventing authentication for certs to be generated. Please add IPv6-only support!

[graingert]

I run a dual-stack NATed IPv4 and IPv6 network so the only global IPs are available on IPv6, currently without IPv6 support I can't create certificates :(

[nomaster]

+1 I run many services on IPv6 only, because IPv4 address pools are depleted.

[Woutifier]

+1 Kind of odd for a service like this to support legacy IP only ;)

[dClauzel]

Indeed, letsencrypt fails to handle IPv6. Example here:

./letsencrypt-auto --apache -d serveur.clauzel.eu

Failed authorization procedure. serveur.clauzel.eu (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No IPv4 addresses found for serveur.clauzel.eu

IMPORTANT NOTES:
 - The following 'urn:acme:error:unknownHost' errors were reported by
   the server:

   Domains: serveur.clauzel.eu
   Error: The server could not resolve a domain name

Of course, there is only an AAAA record for this domain; no A record:

# dig +short serveur.clauzel.eu AAAA
2a01:e34:ec15:6030:d0d0:cafe:d0d0:cafe

letsencrypt.log

[jmhodges]

Hey folks, the Let's Encrypt project is aware of this. We're currently hamstrung on the server-side because our network and DC provider doesn't give us a way to do IPv6 out to folks.

We'll definitely be posting to the community site when we get IPv6 and its on our want list!

Thanks for your interest! I'm going to close this up since its not a client bug, and lock it since we're already getting +1 spam.