No matter what I do, I always come across this dreaded error while trying to renew Let’sEncrypt Apache website : An IPv6 DNS record mydomain.com with address ::1 exists, but this virtual server does not have IPv6 enabled
I have checked to ensure that IPv6 is disabled on the interfaces. I went into Manage Virtual Server > Change IP Address and IPv6 isn’t set there. I went into Addresses and Networking > Change IP Addresses and checked there. Nothing. Then went to Addresses and Networking > Shared IP Addresses and it shows “Default shared IPv6 address None configured on this system”
I have looked at the DNS zone file and there are no AAAA records. I looked at the httpd.conf file and there is nothing listening on an IPv6 address.
That means DNS isn’t hosted where you think it is, I guess? I mean, if you’re looking at zone files on the Virtualmin server but the glue records for your zone point somewhere else, then you’re not looking at the right place.
Checked that too and it resolves correctly from several different domains. Message me directly and I can give you the domain and any other details you want.
Ok, so if I check the radio dial to Skip tests, it generates the cert and applies it. The failure is coming in how Virtualmin checks Apache (per the error message). It’s critical I find out what causes this and how to fix it because when Let’sEncrypt tries to auto-renew, it will fail.
It’s not how it’s checking Apache, it’s how it’s checking DNS. I’m guessing it’s getting an IPv6 result for the name from somewhere. Try host domain.tld on the system itself. Does an IPv6 record come back, maybe from the local resolver, maybe it’s the hostname of the system itself? That’s the general gist of the problem, though I can’t say specifically where it’s coming from.
My assertion of Virtualmin checking Apache is based on the error message Apache website : An IPv6 DNS...
I did a host domain.tld on the server and came back as expected.
Nope. It shows only the IPv4 as expected.
Thought of that. I edited the /etc/hosts file and commented out ::1 just to test and see. No change.
As stated in the DM, the error message had a full IPv6 address until I disabled IPv6 on the NICs and ensured it was disabled in Virtualmin. That’s why the error message now shows ::1
Which, makes me think Virtualmin thinks it’s managing DNS (maybe via a cloud provider) and that t there is an IPv6 record for one of the names you’re requesting a cert for.
Try simplifying and only requesting for one name (i.e. none of the automatic subdomain names, like mail, admin, whatever, or any other aliases).
Validating configuration for domain.org ..
.. errors were found, which will prevent Let's Encrypt from issuing a certificate :
Apache website : An IPv6 DNS record domain.org with address ::1 exists, but this virtual server does not have IPv6 enabled
I deleted the DNS zone but will have to create it again soon because the domain is being transferred to me.
For now the only thing that shows is this:
Beginning validation of selected virtual servers. Any problems found will be shown in red ..
domain.org
— Apache website : An IPv6 DNS record domain.org with address ::1 exists, but this virtual server does not have IPv6 enabled
.. done
@Jamie, I wonder in which particular case to_ip6address could return true, producing a false-positive result?
@Steffan What do you have set in /etc/nsswitch.conf file? Furthermore, what is the output of ping6 www.domain.com and ping6 domain.com if run on the machine, on which you’re requesting Let’s Encrypt certificate?
# In order of likelihood of use to accelerate lookup.
passwd: sss files systemd
shadow: files
group: sss files systemd
hosts: files dns myhostname
services: files sss
netgroup: sss
automount: files sss
aliases: files
ethers: files
gshadow: files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks: files dns
protocols: files
publickey: files
rpc: files
Here are the ping results:
$ ping domain.org
PING domain.org (199.249.188.226): 56 data bytes
64 bytes from 199.249.188.226: icmp_seq=0 ttl=56 time=22.013 ms
64 bytes from 199.249.188.226: icmp_seq=1 ttl=56 time=25.743 ms
64 bytes from 199.249.188.226: icmp_seq=2 ttl=56 time=64.814 ms
64 bytes from 199.249.188.226: icmp_seq=3 ttl=56 time=20.949 ms
^C
--- domain.org ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 20.949/33.380/64.814/18.236 ms
$ ping6 domain.org
ping6: getaddrinfo -- nodename nor servname provided, or not known
Failed to save DNS configuration : nmcli conn modify 52571b47\-6218\-4e89\-a2e9\-44d0a170564e ipv4.dns 199\.249\.188\.251\;199\.249\.188\.252\;199\.249\.188\.253\;199\.249\.188\.254 failed : Error: Failed to modify connection 'eth0': ipv4.dns: 1. DNS server address is invalid
The config file was built with nmcli so I doubt it’s wrong.
I’ll manually edited the /etc/nsswitch.conf file and retested. No change
Beginning validation of selected virtual servers. Any problems found will be shown in red ..
domain.org
— Apache website : An IPv6 DNS record domain.org with address ::1 exists, but this virtual server does not have IPv6 enabled
.. done
I think your BIND service is listening on [::1]:53, correct? You can check it by running:
ss -tnlp | grep 53
It does by default. Limiting it to listen only on IPv4 should fix the issue for you, but we still need to tackle this problem on our end, I think. Anyway, please give it a try and let us know what you’ll find.
I thought we fixed it already in Webmin 2.105. If you’re running Webmin 2.105 and still having this issue open a new ticket in GitHub Webmin repo and provide the error message above with additional details, i.e.:
nmcli conn show 52571b47-6218-4e89-a2e9-44d0a170564e | grep -i dns
It doesn’t matter, tests should be conducted against the internet-facing DNS server that is responsible for and acts as the authoritative server for your domain. Run tests on the right server!