Mistakes made when trying to get LetsEncrypt Certs with IPv6-only domain.

This website now loads on IPv6. Both from the root, https://samcater.com, but also now from https://v6.samcater.com. The second domain only has AAAA IPv6 records, no IPv4 ones. This means free TLS tools like LetsEncrypt will only go for the v6 address.

Getting it to work took a while, not because it is complicated, but because as ever something appears as if it should work, but then fails despite everything you try. My challenge was entirely self-created, due to my previous IPv4-only web server and router configurations. Eventually I convinced LetsEncrypt that my server was available, and deserved a cert.

Problem 1: Turn on Port 80.

The ACME protocol can apparently require both port 80 and port 443 to be open. I didn't realise this and assumed port 443 was the only one used (made sense to me at the time...) so I had blocked port 80. After some TShark diagnostics, I realised LetsEncrypt was trying to reach my server on port 80, not 443. Both are used.

As is always the case, I found the documentation for this after the fix... https://letsencrypt.org/docs/allow-port-80/

I also had to add specific sections in my web server config to enable IPv6 and to listen to both ports 80 and 443. Often times there are separate sections for http/80 and https/443. Both need IPv6 enabled.

Problem 2: TLS Versions.

Thinking I was being clever, I set my web server TLS versions to only serve TLS 1.3. This was pointless as there is nothing wrong with TLS 1.2, and it turns out... LetsEncrypt uses TLS1.2 for the certificate provisioning. So that was also found with TShark analysis and changes were made.

To at least check the ports are open, use an IPv6 Online port checker, e.g. https://subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php

Hopefully if you're reading this, https://v6.samcater.com still works.