Need help for the common problem with Letsencrypt and IPV6

Hi, i’m trying to configure Letsencrypt for a virtual domain, the same way i did for some other domains but for this one, i’m getting error saying there is an IPV6 record existing in apache for this domain, etc…

I searched on the forums and i seen other users having the same problems. The only solution i seen was about the option to change IP and set the IPV6 at none but it’s already at none…

I tried to find anything related to ipv6 in apache or in everything related to ip’s and so on and i found nothing.

My certificate expire in 6 days and i’m tired to update certificate manually so please can you help me with that?

Thanks

Please always post the exact error you get. We’d need to be able to search the code for what circumstances cause the error to happen.

Here it is:

Validating configuration for gestionminute.com …
… errors were found, which will prevent Let’s Encrypt from issuing a certificate :

• Apache website : An IPv6 DNS record gestionminute.com with address fe80::ec4:7aff:fe18:cbe exists, but this virtual server does not have IPv6 enabled

You have/had at least two configuration problems.

First, I think you have the DNS feature enabled in Virtualmin, but you don’t appear to be hosting that zone locally in BIND. (Your DNS servers when I do a whois are GoDaddy servers). If you are not using Virtualmin to manage your DNS, you should disable the DNS feature in Features and Plugins (you’ll have to disable it in every domain you’ve created first, as you can’t disable a Feature if any domains are using it).

Second, Virtualmin, at some point, believed you wanted to use IPv6, so it created AAAA records and presumably Apache config for IPv6. Iguess you removed the Apache config, but didn’t remove the local DNS records…this one probably gets solved automatically by fixing the previous one.

Unhapily, there is no DNS option activated in Features and Plugins.

So, should i activate those functions to disable by domains and disable after that?

We never hosted our DNS so i dont think those options has already been activated

Oh, wait. I didn’t check every possibility. I thought you didn’t have an IPv6 records at GoDaddy, but you do.

host -t AAAA www.gestionminute.com
www.gestionminute.com is an alias for gestionminute.com.

You should delete that record (and any other AAAA records), if you aren’t going to offer this host on an IPv6 address.

So, you still have a misconfiguration, it’s just in a different place than I thought.

I dont understand why you get that. I dont have any AAAA on godaddy.

I just checked now and no AAAA.

dig -t AAAA www.gestionminute.com

; <<>> DiG 9.18.14 <<>> -t AAAA www.gestionminute.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46438
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.gestionminute.com.		IN	AAAA

;; ANSWER SECTION:
www.gestionminute.com.	3600	IN	CNAME	gestionminute.com.

;; AUTHORITY SECTION:
gestionminute.com.	30	IN	SOA	pdns03.domaincontrol.com. dns.jomax.net. 2023011613 28800 7200 604800 600

;; Query time: 253 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon May 01 16:47:35 CDT 2023
;; MSG SIZE  rcvd: 134

I believed you but i dont understand why this sort out since there is no AAAA records setup there.

There is few A records but no AAAA

Portefeuille-de-domaines-gestionminute-com1440×757 50.4 KB

I don’t know. Seems like a question for your DNS provider, if you can’t find how to disable it.

You can also choose to skip the tests that Virtualmin does, but I think you’ll probably end up failing to validate anyway…Let’s Encrypt is going to try to resolve AAAA records, too. I don’t know what it would do in this circumstance, as it doesn’t really make sense. It might resolve automatically to the right thing though. I may give up on AAAA since there is no AAAA for the bare domain (without www).

Thanks, i’ll try to reach the godaddy help and see if they can do something

check here (found this in the forum)
In Virtualmin → Manage Virtual Server → Change IP address, set IPv6 address to none and then apply again for a SSL certificate. Should work this time.

If you read carefully my first post, i already tried that.

reread post can’t see you saying that

opps, i see now.

No worry. I appreciate you tried to help

Seems that i use premium DNS from Godaddy and the main DNS has this config there that i can not see.

I tried to update and set auto renew with letsencrypt skipping the verification and it worked but i dont know if it will work for renewal.

The problem OP has (at least the one that caused the specific error we’ve seen) is not that. OP has an AAAA record for one of the names they’re trying to request a certificate for (www). Virtualmin sees that, and knows that Apache is not configured to respond to IPv6 requests, and helpfully is telling OP about that misconfiguration.

There are several ways to deal with it.

One (the right way) is to get rid of the AAAA record, if the site won’t be available on an IPv6 address.

Another is to tell Virtualmin to skip the tests that it is doing. That will get past the Virtualmin error, but may fail when Let’s Encrypt tries to validate (or may not, depends on how they resolve the name and whether they’re strict about an AAAA record eventually resolving to an IPv4 address…which, I’m pretty sure, is invalid, but maybe it’s OK for Let’s Encrypt).

Another is to stop trying to get a cert for www, since that may be the only one that has this problem, though I didn’t . If you request certs for names that do not have AAAA records, it should validate fine (assuming everything else is OK).

They all come down to getting DNS right for the names you’re requesting a cert for, one way or another. I run out of ways to say, “fix your DNS”, but that’s pretty often the answer.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.