Letsencrypt ipv6 gotcha

As per its website,

Let’s Encrypt is a free, automated, and open Certificate Authority.

A certificate authority (CA) verifies that your website exists and runs on the server (IP address) you say it does. Once verified, it grants you a certificate using which you can start encrypting communication between your website and a visitor to your site.

I have used certificates from Let's Encrypt for many websites including this one. So, I wasn't expecting to waste a day yesterday and half a day today to request and install a certificate for my India focused blog - TT2C.

Yet it happened.

This following command just would not work and kept telling me my IP address (A/AAAA record) was incorrect.

sudo certbot -v --webroot -w /var/www/sites/tt2c/system/nginx-root/ certonly

The second, very confusing symptom was that curl requests to http://tt2c.in/.well-known/acme-challenge/abcdgegevoeETC were working just fine.

Turns out that the issue was that my name server was serving up an incorrectly configured ipv6 address which was different from the ipv6 address of the server on which tt2c was running. This was causing connections from Lets Encrypt to time out and fail.

Once I delete my ipv6 address from my name server and waited out the requisite timeout, Let's Encrypt was able to verify my ownership of the tt2c url and grant me a certificate.

A similar, not identical, issue is discussed on the Let's Encrypt community website.