[ENHANCEMENTS] Force certificate requests and replies over IPv4. Letsencrypt errors. Dual stack IPv6.

[expressrussian]

Hello, the problem is that i cannot use zoraxy in my dual-stack environment. I cannot obtain certificates from Letsencrypt. I want my servers to continue working and obtaining their individual certificates directly over IPv6, and in parallel, i want zoraxy to serve and obtain the certificates for these sites over IPv4. But when zoraxy tries to obtain a certificate from Letsencrypt, it cannot, it gets an error from Letsencrypt: Error: one or more domains had a problem: [subdomain.domain.tld] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 2axx:xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy: Invalid response from http://subdomain.domain.tld/.well-known/acme-challenge/RTH9ejfhw2pFAR0ZrvJNS-xxxxxxxxxxxxxxxx: 404

I do NOT want to disable IPv6, nor disable AAAA records nor NAT6, i want IPv6 continue as before: direct access. I would like zoraxy to obtain certificates in such manner that Letsencrypt verifies its challenge over IPv4 only, not over IPv6. So, please, add a switch/checkbox to each (sub)domain, so zoraxy obtains the certificates for it only over IPv4.

Alternatives considered: i cannot imagine one right now.

Additional context: My Home ISP provides dual-stack connection: classic static IPv4 (with NAT and port forwarding) + static IPv6 prefix with SLAAC. So, all equipment is directly accessible over IPv6, and i forward IPv4 ports where needed, to the servers in the NATted private address space. Zoraxy is installed on a separate standalone VM.

[tobychui]

I have no idea on this, isn't ACME request only send over the domain but not any IP info? If I am understanding it correctly, which IP resolved by the CA is up to the CA implementation not Zoraxy's.

@yeungalan do you have any idea on this?

[expressrussian]

As i understood from different internet forums, Letsencrypt resolves the domain name into all possible IP addresses, both IPv4 and IPv6. Then, if IPv6 is available, it uses it. This is my case. Letsencrypt goes back not to zoraxy over IPv4, but directly to my backend server over IPv6. So, somebody has found a parameter to add to the initial request in order to force Letsencrypt use only IPv4 address. If you can add a switch/checkbox to include this parameter, this would be great.

[tobychui]

@expressrussian So what parameter is that?

[expressrussian]

@expressrussian So what parameter is that?

https://community.letsencrypt.org/t/force-certbot-standalone-to-ipv4-rather-than-ipv6/173189/2 "you can probably use the --http-01-address option to force Certbot to a specific IPv4 IP address."

For now, i choose another certificate provider from your list of 3 providers (zerossl). It works OK over IPv4 only. Thanks for the choice.

[oswaldo-be]

I really would need this option. Even if I disable IPv6 in my Zoraxy Proxmox Container und it even has no IPv6 address in "ip a", Zoraxy tries to get a letsencrypt certificate via IPv6 and fails and I cannot get it running in my environment.

[ghost]

I have the same problem, unfortunately, is there already a solution?

[ghost]

I was able to resolve the issue.

As a private individual, I don’t have a static IP address. Therefore, I’m using DNS services from Strato. Initially, the DNS request was transmitting both IPv4 and IPv6 addresses.

I’ve now modified the DNS configuration to send only the IPv4 address.

Here is the command for the Fritzbox DNS https://<username>:<passwd>@dyndns.strato.com/nic/update?hostname=<domain>&myip=<ipaddr> This might be helpful for others encountering the same problem. It took me a few hours to track this down—apologies for the delay in sharing.