Boulder: Support IPv6 validation

Created on 7 Aug 2015  Â·  37Comments  Â·  Source: letsencrypt/boulder

When #505 lands we will only be doing validation on IPv4 addresses, we should eventually fix this and add a dualStack config option in order to retrieve and use both IPv4/6 addresses during validation.

Most helpful comment

Yep, IPv6 is now fully supported! Please file a new issue if you run into any trouble.

All 37 comments

@rolandshoemaker #505 is merged, so the blocked label could be removed.

You are correct! Should be noted that once we have a patch for this Let's Encrypt will still be blocked on lack of IPv6 support (currently) in our datacenters.

Oh are you serious? 2015 and still no IPv6 :-1:

It's not for lack of trying, @corny. Please consider kindness in the future!

Opps, I appologize for my unkindliness.

How can we help letsencrypt get IPv6 in data centers?

I'm afraid there's not much you can do - this is purely something we need to work out with our provider. But thank you for the offer of help!

Jacob Hoffman-Andrews [email protected] wrote:

I'm afraid there's not much you can do - this is purely something we
need to work out with our provider. But thank you for the offer of
help!

Well. You could set up a sixxs tunnel.
Or another managed tunnel provider.

It takes about ten minutes to do that, and then you'd be connected.

] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [

I get ipv6 via a he.net tunnel, I appreciate that you probably wouldn't want a single provider, does LE have an AS number? If not can you get PI ipv6 space from your current provider and an ASN?

Then you could get tunnels from multpile providers and run bgp over then and announce your PI space that way. Not so straight forward than a single tunnel, but still common and well understood way of doing networking.

And, one can also get multiple tunnels with a /64 each from sixxs (one per
virtual machine), and do it all through aiccu. (IPv6 over UDP). This would
require provisioning of each VM, but that is relatively easily automated if
you are automatically provisioning VMs.

If the VMs are on a VPC, then having a subnet can be done instead.

Of course, both sixxs and he will give you more address space, but for a
single VM, the /64 is just fine. sixxs does a better job at getting reverse
delegated.

Finally, a number of VM providers already provide native IPv6, including
Linode, DigitalOcean, rackspace, and the very small one I run at
batcave.credil.org.

] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [

Do you have an update with IPv6 validation?
As written above, you could provide the IPv6 through tunnels, while waiting that your provider(s) gives you a native IPv6.

We're still working on it, and making progress. No ETA yet I'm afraid, but we'll update when we're closer!

Since it's been a few months since the last comment, I'd like to nudge you again: What's the current status of the IPv6 support? :)

Thanks for the ping. It's still on our roadmap, but has gotten stalled behind other work (like the XP compat intermediates). Will check in with the team for more detail.

Thank you for the update. This is a major showstopper for me. I have a
server which is only available over IPv6 and would like to give LetsEncrypt
a spin.

Thank you :)

A
​

Just saw on https://letsencrypt.org/upcoming-features/ that an ETA was announced:

Full IPv6 Support

ETA: Before April 8, 2016

Parts of the Let’s Encrypt infrastructure can communicate via IPv6 but some parts, notably our validation infrastructure, cannot. We’ll be enabling full IPv6 support for all of our infrastructure.

FYI there's a good chance we'll slip that ETA. Sorry!

Don't worry - that's why there is an E in ETA :grinning:

Now it's _ETA: Before April 22, 2016_. Here's hoping 😀

A

Thanks for your work on this, @jsha! Is there an estimate on when this feature will be live for users to use?

In the next few weeks. We'll post on the forum when it's ready to test in staging.

Please can someone also announce on this issue when it's deployed? I imagine there are a lot of people watching this thread that would like to know.

Will do.

When this feature will be available, I will be one of happiest men in the world ! :-)
You are awesome guys !

I am switching domains over to LetsEncrypt and found some have records like ip4.domain.tld and ip6.domain.tld (likely for troubleshooting purposes). The ip4 record only has an A record, the ip6 record only has a AAAA record, to ensure clients to each only have one protocol option to chose from.

These multiple records can be added to the cert -d domain.tld -d www.domain.tld -d ip4.domain.tld but as it has no A record, ip6.domain.tld cannot be added to the certificate.

The only workaround I have found so far is to temporarily add an A record, or flip on cloudflare proxy service to connect the v4 LetsEncrypt host to auth the cert for issue/renewal, then remove the record once the process is complete.

I would really like to see this issue resolved, and hope others with this problem can use one of these workarounds to continue their deployment.

Hello,

wouldn't it make sense to update this page https://letsencrypt.org/upcoming-features/ to reflect on the fact that this feature is still not available?

@metaclassing Consider using DNS-01 challenge as alternative for now.

It would be awesome if someone could point us to/describe the process from here please. We don't need an ETA or anything, just knowing what steps are still to be taken makes it easier to follow progress instead of seeing no apparent progress.

Watching this ticket is the best approach to get updates. This is still important to us, but our Ops team has been very busy with core infrastructural and reliability improvements, so they haven't yet gotten to this.

Thanks very much for the reply @jsha! To confirm I understand correctly, it's not waiting on process, it's waiting for the responsible department (ops) to get to implementation. If I may be a pain please, would you guess weeks or months of backlog is ahead of implementing this ticket?

@garymoon said: > .... would you guess ....

If one looks at https://letsencrypt.org/upcoming-features/ there is a target date there for full IPv6 support. It is only a target, but there is a date there. With luck the target will be met, and if not, I expect the page will get updated with the new target in due course.

@garybuhrmaster Thanks so much! Last I looked at upcoming features the date for IPv6 Support had passed and I'd forgotten to check back. This is perfect, my mistake!

@stapelberg Awesome!!

Great to hear!

Yep, IPv6 is now fully supported! Please file a new issue if you run into any trouble.

Great, thank you for reposting here, much appreciated :+1:

Was this page helpful?
0 / 5 - 0 ratings