ISRG celebrates 10 years of helping build a brighter Internet →

IPv6 Support

Se på Dansk

Voir en Français

לעבור לעברית

Megtekintés magyar nyelven

Visualizza in italiano

日本語で表示する

Просмотреть на русском

Переглянути українською

使用简体中文阅读本网页。

Last updated: | See all Documentation

Let’s Encrypt supports IPv6 both for accessing the ACME API using an ACME client, and for the DNS lookups and HTTP requests we make when validating your control of domain names.

Domain Validation

When making outbound domain validation requests for a domain that has both IPv4 and IPv6 addresses (e.g. both A and AAAA records) Let’s Encrypt will always prefer the IPv6 addresses for the initial connection. If the IPv6 connection fails at the network level (e.g. there is a timeout) and there are IPv4 addresses available then we will retry the request with one of the IPv4 addresses.

Incorrect IPv6 Addresses

Often domain owners will not be aware of an AAAA record for their domain. If the IPv6 address in the AAAA record is incorrect it will affect the domain validation process.

Commonly the IPv6 address will be a different server than the IPv4 address where the ACME client is being run. Since the ACME client only configures the IPv4 server to respond to the challenge domain validation will fail when the IPv6 server is used.

In most cases the correct fix is to update the IPv6 address to point to the server the ACME client is running on, or to remove the AAAA record if the domain is not intended to work with IPv6. There is not a way to request Let’s Encrypt prefer IPv4, you must fix the misconfiguration.

IPv6 to IPv4 Retry Details

The IPv6 to IPv4 retry only occurs on connection timeouts, not on other types of error.

For example in the “Common Pitfalls” scenario above a retry will not occur if there is a webserver listening on the IPv6 address, but that webserver is not ready to answer the ACME challenge. In this case there would be no connection timeout accessing the IPv6 address and the challenge will fail without a retry because the incorrect response was returned.

To keep our CA software simple we only perform an IPv6 to IPv4 retry on the first request when validating “http-01” challenges. If you use redirects, the redirects will not get retry treatment.

For example if a domain name has an AAAA record that always times out and an A record with a webserver that redirects from HTTP to HTTPS then the IPv6 to IPv4 fallback will not operate correctly. The first request to the domain will properly fallback to IPv4, receiving a redirect from HTTP to HTTPS. The subsequent request will again prefer the IPv6 address but will timeout without falling back to IPv4. You can resolve this situation either by fixing the IPv6 misconfiguration or removing the HTTP to HTTPS redirect for requests to the ACME HTTP-01 challenge path.

Getting Help

If you need help diagnosing an IPv6 related problem please visit our community forum.