LetsEncrypt renewal fails if there is an ip6 AAAA address in DNS

I’ve just found that my sites fail to renew their LE certificate if there is are ip6/AAAA entries for the sites in DNS.

I spent a long time diagnosing, and when I deleted the AAAA records for both the ‘www’ and the non-www domain, the renewal flew through with no problems.

I then tried the second failing site, and confirmed the cause of the problem was the AAAA records.

I did not further diagnose to see if both records needed to be removed, or if only one was the issue.

Has anyone else experienced this?

Any insight?


Hello, yes, at the moment, nginx configurations used by EE, do not include ipv6 directives. You have to add the line :

        listen [::]:80;

In your vhost configuration to use --letsencrypt.

Or you can use the standalone mode of certbot : https://kb.virtubox.net/knowledgebase/install-ssl-certificate-lets-encrypt-manually/

Many thanks @virtubox

Yup, been there :slight_smile:

Although I just removed the IPV6 DNS in this case.