Problems with AutoSSL IPv6 connection

[Peter Horvath]

Hi,
Since a while I see the next warning messages in some cPanel AutoSSL renewal sections:

"DNS DCV: No local authority: “mail.vadasmihaly.com”; HTTP DCV: The system failed to fetch the DCV (Domain Control Validation) file at “http://mail.vadasmihaly.com/.well-known/pki-validation/8BFC2DD608476263107009D907CC663E.txt” because of an error (cached): Could not connect to '2606:4700:3033:0000:0000:0000:ac43:9fae:80': Address family for hostname not supported."

or

"
DNS DCV: No local authority: “mail.yangfamilytaichi.hu”; HTTP DCV: The system failed to fetch the DCV (Domain Control Validation) file at “http://mail.yangfamilytaichi.hu/.well-known/pki-validation/25D021EF180AE7FF4CA4387AD9A232EB.txt” because of an error (cached): Could not connect to '2606:4700:3030:0000:0000:0000:6815:0ba0:80': Address family for hostname not supported."

I have absolutely no any idea what does it mean? On our VPS there is no such IPv6, so I don't recognize the source of these issues at all.

The domain existing with CloudFlare free settings, however it were no any problems until the last few weeks.

Have you any suggestion how to solve this issue?
Thank you!

Best regards,
Peter

 

[andrew.n]

I'm happy to see a fellow hungarian here I'm pretty sure you have IPV6 enabled on the server. Can you run the following commands there?

ip a
cat /etc/resolv.conf
cat /etc/sysconfig/network

and paste here the output.

 

[cPanelAnthony]

Hello! I wrote an article regarding IPv6 issues and how to troubleshoot them. Can you let me know if this helps?

How to Diagnose IPv6 issues

 

[Peter Horvath]

I'm happy to see a fellow hungarian here I'm pretty sure you have IPV6 enabled on the server. Can you run the following commands there?

ip a
cat /etc/resolv.conf
cat /etc/sysconfig/network

and paste here the output.

Hi andrew.n, thank you for your recognition being a Hungarian.
Here are the outputs:
[[email protected] ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:43:ad:27 brd ff:ff:ff:ff:ff:ff
inet 161.97.184.109/22 brd 161.97.187.255 scope global eth0
valid_lft forever preferred_lft forever
inet 109.205.177.1/22 brd 109.205.179.255 scope global eth0:cp1
valid_lft forever preferred_lft forever
[[email protected] ~]# cat /etc/resolv.conf
search invalid
nameserver 213.136.95.10
nameserver 213.136.95.11
[[email protected] ~]# cat /etc/sysconfig/network
HOSTNAME=szangye.hostingnetwork2.eu
DOMAINNAME=hostingnetwork2.eu

Additionally, sure, I have an IPv6 address pool for this VPS, however I never activated it.

In the meantime, however, it turned out that the root of the problem was in CloudFlare, I tried quite a few things, but the solution for the time being was to temporarily disable CloudFlare on the affected domains. So all AutoSSL updates ran.
In the WHM I switched the SSL installations from Sectigo to Let's Encrypt, as I read in several articles that CF redirects are handled by this, not by Sectigo, but this did not yield any results. This is where I am now.

 

[Peter Horvath]

Hello! I wrote an article regarding IPv6 issues and how to troubleshoot them. Can you let me know if this helps?

How to Diagnose IPv6 issues

Hi cPanelAnthony,

Thank you for your reply, I tried the commands from your article, and got these:

[[email protected] ~]# cat /proc/net/if_inet6
[[email protected] ~]# ping6 google.com
connect: Cannot assign requested address

So I think I should activate the IPv6 pool on my VPS, shouldn't it?

The results now:

[[email protected] ~]# enable_ipv6
[[email protected] ~]# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
[[email protected] ~]# ping6 google.com
connect: Network is unreachable

I am using Configserver Firewall, so that can be a problem on this, I think. However on another VPS where I am using CFS as well, the ping6 google.com command were totally okay, as:
[[email protected] ~]# ping6 google.com
PING google.com(fra24s04-in-x0e.1e100.net (2a00:1450:4001:827::200e)) 56 data bytes
64 bytes from fra24s04-in-x0e.1e100.net (2a00:1450:4001:827::200e): icmp_seq=1 ttl=122 time=6.50 ms
64 bytes from fra24s04-in-x0e.1e100.net (2a00:1450:4001:827::200e): icmp_seq=2 ttl=122 time=6.39 ms
--- google.com ping statistics ---
84 packets transmitted, 84 received, 0% packet loss, time 83100ms
rtt min/avg/max/mdev = 6.268/6.517/13.684/0.880 ms

Well, I did the activation properly regarding ipv6 on szangye VPS, so now it is okay:

--- google.com ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6016ms
rtt min/avg/max/mdev = 6.262/7.527/11.559/1.909 ms

 

[cPanelAnthony]

Hello! It definitely looks like there are some IPv6 issues here. Would it be possible to reach out to a systems administrator to troubleshoot?

 

[andrew.n]

Hey Peter, looks like you got it figured but if you still having issues feel free to drop me an email or open a ticket and I will be happy to have a closer look for you.

 

[WorkinOnIt]

Is there a way to avoid the Auto SSL using IPV6? We have IPV6 disabled on our VPS

 

[cPRex]

@WorkinOnIt - did the article that Anthony posted not help with the situation?

 

[WorkinOnIt]

@WorkinOnIt - did the article that Anthony posted not help with the situation?

Are you referring to this one:

Hello! I wrote an article regarding IPv6 issues and how to troubleshoot them. Can you let me know if this helps?
How to Diagnose IPv6 issues

That does not help us, as we have IPV6 disabled on our server. It was disabled for a specific purpose (SSL Stapling Issues) and the disabling of IPV6 was actually recommended by the cPanel tech support.

I am not sure if I should re-enable the IPV6 again - as it may introduce the old bug again.... so I was hopeful that there was a way to avoid the IPV6 usage in the Auto SSL checks


Here is the log of the issue I get: How can I resolve this for the sub-domain? The primary naked domain auto-renews with no issues;

DNS DCV: No local authority: “www.domain.com”; HTTP DCV: The system failed to fetch the DCV (Domain Control Validation) file at “Website Domain Names, Online Stores & Hosting - Domain.com because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “Website Domain Names, Online Stores & Hosting - Domain.com because of an error: Could not connect to 'www.domain.com:80': Address family for hostname not supported. The domain “www.domain.com” resolved to an IP address “2606:4700:3035:0000:0000:0000:ac43:97a3” that does not exist on this server.


EDIT: Curiously, I find that if I delete the SSL Hosts certificate for the domain - then try again with Let's Encrypt - it actually renews the subdomain now..... but how frustrating to need to do that each time!

 

[cPRex]

Just for fun, what is the output of "route -n" on your system? Just make sure to obscure the IP addresses, but I"m interested to see if there are any IPv6 routes configured.

 

[WorkinOnIt]

@cPRex this is what I see

[[email protected] rb#3 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 45.##.##.# 0.0.0.0 UG 0 0 0 eth0
45.##.##.# 0.0.0.0 255.##.##.# U 0 0 0 eth0
149.##.###.# 0.0.0.0 255.##.##.# U 0 0 0 eth0
169.###.#.# 0.0.0.0 255.##.##.# U 0 0 0 eth0
169.###.#.# 0.0.0.0 255.##.##.# U 1002 0 0 eth0

 

[cPRex]

Thanks for that - I really don't have a good explanation why that particular machine would be pulling an IPv6 address for AutoSSL. Could you submit a ticket to our support team so we can check that directly on the system?