Let's Encrypt and IPv6
I’m using Let’s Encrypt as Certificate Authority on this and many other sites. I like it, as it allows me to automate certificate creation and renewals, however I also have some monitoring making sure everything works as expected.
I recently got a few alerts as some certificates weren’t renewed as expected. I figured nothing had changed on the server setup and there was renewal happening for a few days, I started looking into it and found the issue why the renewal was failing, so here’s the story.
IPv4 & IPv6
The IPv6 adoption seems to be moving extremely slowly, but as the data centers I use support IPv6, I usually always configure DNS and servers to support IPv6. It’s really no extra effort once the server is running with IPv6 networking - just a one time configuration (at least with NGINX as a webserver).
Assuming the IPv6 networking is setup on the server (and network), the nginx configuration is a matter of adding to lines to your NGINX in you config:
# Add this line to the HTTP config listen [::]:80; # Add this line to the HTTPS config listen [::]:443 ssl;
So far perfect and the site should be working.
My home is running on an “old” broadband connection with fixed IPv4. There’s no IPv6 available nice as it would be. Test and make sure everything works, you can youse a site like Wormly which has a HTTP client test.
Make sure to set the test to run “IPv6 only” in the IP mode section. This should allow you through the reported output to make sure everything is working as expected.
The Let’s Encrypt angle
The reason I discovered issues with certificates on a few sites not renewing was due to the fact that I skipped the test of “is IPv6 working”, as it is a hassle needing to go through a “proxy website” to validate.
It seems the HTTP-01 certificate validation done by Let’s Encrypt is done by IPv6 if an AAAA record is published, and thus would make the validation fail, if you haven’t configured the IPv6 server correct, but only configured the DNS.