I have multiple domains managed using Virtualmin. Some have been migrated to Full (strict) but some are still using Flexible SSL. I noticed that renewals of Let’s Encrypt certificates started failing December 2021. I got the renewals working by temporarily disabling Cloudflare proxy for the affected domains. When the problem reoccurred in March, I had a closer look at the error messages.
The virtualmin acme-challenge code creates a file in ./well-known/acme-challenge/ and then calls https://acme-v02.api.letsencrypt.org/acme/chall-v3/ passing a token. The API resolves the domain name to two ipv4 addresses and two ipv6 addresses. Let’s Encrypt now prefers ipv6 to access the ./well-known/acme-challenge/ file. It looks like Let’s Encrypt gets back error 403 and an error message (all I see are the HTML headers). I do not have any AAAA records defined for my domains since they are hosted on AWS which does not fully support ipv6.
The domains using Full (strict) renewed fine. I converted all the Flexible SSL domains to Full (strict) and am no longer seeing any Let’s Encrypt renewal issues.
I found several posts about Cloudflare wanting to use proxy servers on their ipv6 network and no longer allowing Cloudflare users to turn off IPv6 Compatibility. I did not enable Pseudo IPv4 since I was using the defaults on all domains. What is puzzling is that https://ready.chair6.net/ returned ipv4 and ipv6 for all my domains, yet Let’s Encrypt appeared to prefer ipv4 for the Full (strict) servers. Also, I assumed that the Cloudflare ipv6 proxies would do the necessary translation for ipv4 origin servers.
At the moment, everything is working, but I am concerned that there might be something else underlying the original problem that will cause issues in the future. Can anyone shed any light on what I am seeing?