Bug 1467100 - certbot --standalone doesn't bind to ipv6, but letsencrypt now prefers to verify over ipv6
certbot --standalone doesn't bind to ipv6, but letsencrypt now prefers to ver...
Status: NEW
Product: Fedora
Classification: Fedora
Component: certbot (Show other bugs)
All Linux
unspecified Severity high
: ---
: ---
Assigned To: James Hogarth
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2017-07-02 14:55 EDT by Randy Barlow
Modified: 2017-07-02 14:55 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Randy Barlow 2017-07-02 14:55:18 EDT
Description of problem:

I had a hard time renewing my letsencrypt certs today. It turned out to be a combination of things. letsencrypt recently started verifying certificated over ipv6 (awesome). I have been using certbot with the --standalone flag, partly for simplicity (no messing with httpd configs) and partly because I have a few hosts that don't have port 80/443 (XMPP server, for example). I was banging my head for a while trying to figure out why it couldn't connect over v6 to this host because it seemed to work for me otherwise, and I finally thought to check that the client was binding to ipv6 and it wasn't!

Anyways, this was actually recently fixed upstream:


I'd like to request either a version bump to an upstream release that has that fix, or a backport of the patch if feasible. In the meantime, I will probably just switch to using httpd for verification.

Version-Release number of selected component (if applicable):

How reproducible:
Every time.

Steps to Reproduce:
1. Fire up watch on ss -lnp to see the ports that are being used on the host.
2. Use certbot with --standalone to get a cert. You can use the --dry-run flag if you please.

Actual results:
You'll see certbot bind to the ipv4 address, but not the ipv6 address.

Expected results:
It should bind to both v4 and v6.

Note You need to log in before you can comment on or make changes to this bug.