You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On the Community, we've seen a few instances where users were showing a time out error with an IPv4 IP address in the returned error, even though the IPv4 address was working properly. (E.g. https://community.letsencrypt.org/t/letsencrypt-reissue-certificate/214220.) In reality, it was the IPv6 address timing out. This problem only occurs if there's a HTTP to HTTPS redirect in place.
For some reason Boulder only retries using IPv4 when there's an issue with IPv6 for the HTTP connection, but not for the HTTPS connection. (Not the scope of this issue.) But when the HTTPS over IPv6 attempt fails, Boulder uses the IPv4 address from the HTTP connection in the error message. Which is not correct.
Steps to reproduce:
Have a site with HTTP to HTTPS redirect enabled;
Have a functional IPv4 address;
Have a non-functional IPv6 address;
Attempt to get a certificate.
Expected result:
Time out error with the IPv6 address shown in the error message.
Actual result:
Time out error with the IPv4 address shown in the error message.
Additional details:
It's really confusing to see a perfectly functional IPv4 address in a time out error message when actually the IPv6 address is the problem.
The text was updated successfully, but these errors were encountered:
osirisinferi
changed the title
Incorrect IP address in error message when IPv6 is not working
Incorrect IPv4 address in error message when IPv6 is not working
Mar 2, 2024
This means that, if we've been falling back between various IP addresses to try, we'll be including the right IP address. But, if connecting to that IP address resulted in an HTTP 3XX redirect, we will not be including the redirected-to IP address in the error message.
I think the correct fix here is for newIPError to extract the IP Address from the last item in records instead of from target. This way it will reflect any redirects that were followed.
This is probably a low-priority fix for us at the moment, so I'm putting my notes here for the future.
When we present error messages containing IP addresses to end users,
sometimes we're presenting the IP at which we began a chain of
redirects, but not presenting the IP at which the final redirect was
located. This can make it difficult for client operators to identify
exactly which server in their infrastructure is misbehaving.
Change our IP error messages to reference the most-recently-tried
address from the set of all validation records, rather than the address
which started the current (potential) redirect chain.
Fixes#7347
Summary:
On the Community, we've seen a few instances where users were showing a time out error with an IPv4 IP address in the returned error, even though the IPv4 address was working properly. (E.g. https://community.letsencrypt.org/t/letsencrypt-reissue-certificate/214220.) In reality, it was the IPv6 address timing out. This problem only occurs if there's a HTTP to HTTPS redirect in place.
For some reason Boulder only retries using IPv4 when there's an issue with IPv6 for the HTTP connection, but not for the HTTPS connection. (Not the scope of this issue.) But when the HTTPS over IPv6 attempt fails, Boulder uses the IPv4 address from the HTTP connection in the error message. Which is not correct.
Steps to reproduce:
Expected result:
Actual result:
Additional details:
It's really confusing to see a perfectly functional IPv4 address in a time out error message when actually the IPv6 address is the problem.
The text was updated successfully, but these errors were encountered: