Let's Encrypt - Apache website : An IPv6 DNS record mydomain.org with address ::1 exists, but this virtual server does not have IPv6 enabled

OS type and version Oracle Linux 9
Webmin version Latest
Virtualmin version Latest
Related packages SUGGESTED

No matter what I do, I always come across this dreaded error while trying to renew Let’sEncrypt
Apache website : An IPv6 DNS record mydomain.com with address ::1 exists, but this virtual server does not have IPv6 enabled

I have checked to ensure that IPv6 is disabled on the interfaces. I went into Manage Virtual Server > Change IP Address and IPv6 isn’t set there. I went into Addresses and Networking > Change IP Addresses and checked there. Nothing. Then went to Addresses and Networking > Shared IP Addresses and it shows “Default shared IPv6 address None configured on this system

I have looked at the DNS zone file and there are no AAAA records. I looked at the httpd.conf file and there is nothing listening on an IPv6 address.

What else can I check?

That means DNS isn’t hosted where you think it is, I guess? I mean, if you’re looking at zone files on the Virtualmin server but the glue records for your zone point somewhere else, then you’re not looking at the right place.

Check, with host domain.tld on some other system.

Checked that too and it resolves correctly from several different domains. Message me directly and I can give you the domain and any other details you want.

You can PM it to me (click my username and then “Message”).

Ok, so if I check the radio dial to Skip tests, it generates the cert and applies it. The failure is coming in how Virtualmin checks Apache (per the error message). It’s critical I find out what causes this and how to fix it because when Let’sEncrypt tries to auto-renew, it will fail.

It’s not how it’s checking Apache, it’s how it’s checking DNS. I’m guessing it’s getting an IPv6 result for the name from somewhere. Try host domain.tld on the system itself. Does an IPv6 record come back, maybe from the local resolver, maybe it’s the hostname of the system itself? That’s the general gist of the problem, though I can’t say specifically where it’s coming from.

My assertion of Virtualmin checking Apache is based on the error message
Apache website : An IPv6 DNS...
I did a host domain.tld on the server and came back as expected.

Nope. It shows only the IPv4 as expected.

Thought of that. I edited the /etc/hosts file and commented out ::1 just to test and see. No change.

As stated in the DM, the error message had a full IPv6 address until I disabled IPv6 on the NICs and ensured it was disabled in Virtualmin. That’s why the error message now shows ::1

What else do you want to check?

Keep reading. Definitely DNS. :man_shrugging: It’s in the web validation, but it’s about a DNS lookup.

I don’t know where it could be coming from, if not from a name lookup.

I see this in the code: virtualmin-gpl/feature-web.pl at bf45573c437481b80654997355c575118b0b4927 · virtualmin/virtualmin-gpl · GitHub

Which, makes me think Virtualmin thinks it’s managing DNS (maybe via a cloud provider) and that t there is an IPv6 record for one of the names you’re requesting a cert for.

Try simplifying and only requesting for one name (i.e. none of the automatic subdomain names, like mail, admin, whatever, or any other aliases).

Tried solely the domain.tld

Validating configuration for domain.org ..
.. errors were found, which will prevent Let's Encrypt from issuing a certificate :
Apache website : An IPv6 DNS record domain.org with address ::1 exists, but this virtual server does not have IPv6 enabled

What’s next?

I don’t know. That’s telling me that Virtualmin has IPv6 records for this name. But, you said you disabled DNS for this domain, I think?

Do you have a “DNS Settings->DNS Records” page for this domain?

What happens if you use Validate Virtual Servers for this domain?

I deleted the DNS zone but will have to create it again soon because the domain is being transferred to me.

For now the only thing that shows is this:

Beginning validation of selected virtual servers. Any problems found will be shown in red ..
  — Apache website : An IPv6 DNS record domain.org with address ::1 exists, but this virtual server does not have IPv6 enabled
.. done

I’ll DM you the domain and credentials

@Jamie, you’ve handled the IPv6 connectivity false-positive check issue for the upcoming Virtualmin release, haven’t you?

This patch seems to only skip checks when DNS is cloud-hosted. Does it truly get to the bottom of the issue?

@Jamie, I wonder in which particular case to_ip6address could return true, producing a false-positive result?

@Steffan What do you have set in /etc/nsswitch.conf file? Furthermore, what is the output of ping6 www.domain.com and ping6 domain.com if run on the machine, on which you’re requesting Let’s Encrypt certificate?

# In order of likelihood of use to accelerate lookup.
passwd:     sss files systemd
shadow:     files
group:      sss files systemd
hosts:      files dns myhostname
services:   files sss
netgroup:   sss
automount:  files sss

aliases:    files
ethers:     files
gshadow:    files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

Here are the ping results:

$ ping domain.org
PING domain.org ( 56 data bytes
64 bytes from icmp_seq=0 ttl=56 time=22.013 ms
64 bytes from icmp_seq=1 ttl=56 time=25.743 ms
64 bytes from icmp_seq=2 ttl=56 time=64.814 ms
64 bytes from icmp_seq=3 ttl=56 time=20.949 ms
--- domain.org ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 20.949/33.380/64.814/18.236 ms

$ ping6 domain.org
ping6: getaddrinfo -- nodename nor servname provided, or not known

We also need ping6 domain.org and ping6 www.domain.org outputs (before making the change below).

Do you get the same issue if you change it to:

hosts: dns files myhostname

You better do it using Networking ⇾ Network Configuration: Hostname and DNS Client page.

This brings up another bug I hadn’t reported yet.

Failed to save DNS configuration : nmcli conn modify 52571b47\-6218\-4e89\-a2e9\-44d0a170564e ipv4.dns 199\.249\.188\.251\;199\.249\.188\.252\;199\.249\.188\.253\;199\.249\.188\.254 failed : Error: Failed to modify connection 'eth0': ipv4.dns: 1. DNS server address is invalid

The config file was built with nmcli so I doubt it’s wrong.

I’ll manually edited the /etc/nsswitch.conf file and retested. No change

Beginning validation of selected virtual servers. Any problems found will be shown in red ..
  — Apache website : An IPv6 DNS record domain.org with address ::1 exists, but this virtual server does not have IPv6 enabled
.. done

I think your BIND service is listening on [::1]:53, correct? You can check it by running:

ss -tnlp | grep 53

It does by default. Limiting it to listen only on IPv4 should fix the issue for you, but we still need to tackle this problem on our end, I think. Anyway, please give it a try and let us know what you’ll find.

It shouldn’t be. Since I use Cloudmin Services, I disabled named

ss -tnlp | grep 53 => Nothing

Additionally, I checked for glue records and found no IPv6 glue records in the chain.

I thought we fixed it already in Webmin 2.105. If you’re running Webmin 2.105 and still having this issue open a new ticket in GitHub Webmin repo and provide the error message above with additional details, i.e.:

nmcli conn show 52571b47-6218-4e89-a2e9-44d0a170564e | grep -i dns

It doesn’t matter, tests should be conducted against the internet-facing DNS server that is responsible for and acts as the authoritative server for your domain. Run tests on the right server!