IPv6 and IPv4 Addresses, and LetsEncrypt Client Connection Issues
When adding IPv4 connectivity to a previously IPv6-only server, I noticed that the LetsEncrypt client fails to connect to the ACME servers. This in turn resulted in an error:
`An unexpected error occurred:
requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))`
The reason for this, was that although my Firewall rules allowed in port 80 and 443 for IPv6, they did not do the same for IPv4. Since the server in question only offers services on IPv6, no ports should need to be open for IPv4. The only reason IPv4 connectivity had been added at all, was due to a niche use case which required it.
So what's going on?
Well, by default in Debian anyway, there is a system-wide configuration that affects a server's networking stack and preference for address families. It checks this file to see whether, if both are available, IPv4 or IPv6 connectivity is favoured.
The LetsEncrypt client is a Python tool, and relies on the underlying OS stack to deal with networking on its behalf. Therefore it wasn't making any mistakes, as such. It was asking the OS to make an outbound connection to the LetsEncrypt ACME servers, and the OS passed back an IPv4 session. Since the firewall rules didn't exist for ACME inbound connections....... it failed.... etc...etc.....
To fix this, just tell the server to favour IPv6 over IPv4. Go to /etc/gai.conf and uncomment the line #precedence ::ffff:0:0/96 10
This sets IPv6 as favoured, and the OS hands back an IPv6 connection for the LetsEncrypt tool. Fixed.