LetsEncrypt renewal fails if there is an ip6 AAAA address in DNS


#1

I’ve just found that my sites fail to renew their LE certificate if there is are ip6/AAAA entries for the sites in DNS.

I spent a long time diagnosing, and when I deleted the AAAA records for both the ‘www’ and the non-www domain, the renewal flew through with no problems.

I then tried the second failing site, and confirmed the cause of the problem was the AAAA records.

I did not further diagnose to see if both records needed to be removed, or if only one was the issue.

Has anyone else experienced this?

Any insight?

David.


#2

Hello, yes, at the moment, nginx configurations used by EE, do not include ipv6 directives. You have to add the line :

        listen [::]:80;

In your vhost configuration to use --letsencrypt.

Or you can use the standalone mode of certbot : https://kb.virtubox.net/knowledgebase/install-ssl-certificate-lets-encrypt-manually/


#3

Many thanks @virtubox


#4

Yup, been there :slight_smile:

Although I just removed the IPV6 DNS in this case.