Red Hat Bugzilla – Bug 1467100
certbot --standalone doesn't bind to ipv6, but letsencrypt now prefers to verify over ipv6
Last modified: 2017-07-02 14:55:18 EDT
Description of problem:
I had a hard time renewing my letsencrypt certs today. It turned out to be a combination of things. letsencrypt recently started verifying certificated over ipv6 (awesome). I have been using certbot with the --standalone flag, partly for simplicity (no messing with httpd configs) and partly because I have a few hosts that don't have port 80/443 (XMPP server, for example). I was banging my head for a while trying to figure out why it couldn't connect over v6 to this host because it seemed to work for me otherwise, and I finally thought to check that the client was binding to ipv6 and it wasn't!
Anyways, this was actually recently fixed upstream:
I'd like to request either a version bump to an upstream release that has that fix, or a backport of the patch if feasible. In the meantime, I will probably just switch to using httpd for verification.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Fire up watch on ss -lnp to see the ports that are being used on the host.
2. Use certbot with --standalone to get a cert. You can use the --dry-run flag if you please.
You'll see certbot bind to the ipv4 address, but not the ipv6 address.
It should bind to both v4 and v6.