boulder icon indicating copy to clipboard operation
boulder copied to clipboard
verified publisher icon letsencrypt

va: Handle IPv4 fallback for HTTP(S) redirects

Open jprenken opened this issue 1 year ago • 0 comments

When performing an HTTP-01 validation, the VA will try to fall back from IPv6 to IPv4 if the connection fails; and it will follow HTTP(S) redirects. However, the current structure of processHTTPValidation cannot handle a case where both are needed.

Reproducer: Publish IPv6 & IPv4 addresses in DNS for a test host. Misconfigure networking on the test host so that IPv6 connections will fail. Configure a self-signed certificate for HTTPS. Configure the Web server to redirect all HTTP traffic (including ACME challenges) to HTTPS. Attempt HTTP-01 validation (e.g. certbot certonly --webroot). It will fail: Boulder will retry to IPv4, and follow the redirect - but when trying to validate the redirect target, it will only try IPv6 and not attempt to retry to IPv4.

jprenken avatar Feb 28 '25 05:02 jprenken