LetsEncrypt fail with IPv6 DA option enabled and no IPv6 address configured

Yoshua

Verified User
Joined
Apr 9, 2007
Messages
72
Location
Spain
Hi, I have been looking in the DA version history and in the forum with the terms "letsencrypt ipv6", information related to the changes made in each new version of the script "letsencrypt.sh", used to generate and update the LetsEncrypt certificates, but I have not found anything that warns of the recent change in relation to the DNS servers used in case the IPv6 configuration is activated in Directadmin.

Bash:
# Use Google DNS for external lookups
DNS_SERVER="8.8.8.8"
DNS6_SERVER="2001:4860:4860::8888"
# Fallback DNS server
NEW_IP="1.1.1.1"
NEW6_IP="2606:4700:4700::1111"
#NEW_IP=`cat /etc/resolv.conf |grep ^nameserver | grep -v 127.0.0.1 | head -n1 | cut -d\  -f2`
DA_IPV6=false
...
...
if ${DA_BIN} c | grep -m1 -q "^ipv6=1$"; then
        DA_IPV6=true
        DNS_SERVER=${DNS6_SERVER}
        NEW_IP=${NEW6_IP}
fi
I consider that these types of changes should be notified, since if we have the IPv6 configuration activated in Directadmin, but without an IPv6 address configured, the creation of a new certificate and the renewal of existing ones will fail.

Code:
Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
DNS challenge test fail for _acme-challenge-test.domain.tld IN TXT "pre-check", retrying...
Unable to connect to 2001:4860:4860::8888. Trying 2606:4700:4700::1111 instead
Retry failed, trying again in 15s...
...
...
Retry failed, trying again in 15s...
DNS validation failed. Exiting...
In our case we have always activated the IPv6 option in the configuration of Directadmin on all our servers and our clients so that they have the option of adding and using an IPv6 for their tests from ISPs that have it already deployed.

In our country, unfortunately, nothing is progressing in the deployment of IPv6 and therefore our customers have no interest in adding IPv6 addresses to their servers, so these days we are receiving many notices and complaints from customers for that LetsEncrypt certificates are not being renewed or cannot create them. Now we will have to modify the configuration of Directadmin on all servers to disable IPv6 functions.

It would be appreciated if these types of changes that affect the basic operation of the script, for the future, were notified.

Thank you :)
 
Top