acme.sh --standalone --issue fails over IPV6 #6813
Description
I did the usual things I'd do to issue a certificate:
sudo -i
wget -O - https://get.acme.sh | sh -s email=d01vm01@atownsend.org.uk
exit
sudo -i
/etc/init.d/apache2 stop
script
acme.sh --standalone --issue -d d01vm01.atownsend.org.uk -w /home/www/html --server letsencrypt
This happened:
root@d01vm01:~# acme.sh --standalone --issue -d d01vm01.atownsend.org.uk -w /home/www/html --server letsencrypt
[Fri 27 Feb 17:23:47 GMT 2026] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri 27 Feb 17:23:47 GMT 2026] Standalone mode.
[Fri 27 Feb 17:23:47 GMT 2026] Account key creation OK.
[Fri 27 Feb 17:23:47 GMT 2026] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Fri 27 Feb 17:23:48 GMT 2026] Registered
[Fri 27 Feb 17:23:48 GMT 2026] ACCOUNT_THUMBPRINT='RD6QsKtgi7X_8paHxIoO98IgZNze8wNOhXY65d9v6GM'
[Fri 27 Feb 17:23:48 GMT 2026] Creating domain key
[Fri 27 Feb 17:23:48 GMT 2026] The domain key is here: /root/.acme.sh/d01vm01.atownsend.org.uk_ecc/d01vm01.atownsend.org.uk.key
[Fri 27 Feb 17:23:48 GMT 2026] Single domain='d01vm01.atownsend.org.uk'
[Fri 27 Feb 17:23:49 GMT 2026] Getting webroot for domain='d01vm01.atownsend.org.uk'
[Fri 27 Feb 17:23:49 GMT 2026] Verifying: d01vm01.atownsend.org.uk
[Fri 27 Feb 17:23:49 GMT 2026] Standalone mode server
[Fri 27 Feb 17:23:51 GMT 2026] Pending. The CA is processing your order, please wait. (1/30)
[Fri 27 Feb 17:23:55 GMT 2026] d01vm01.atownsend.org.uk: Invalid status. Verification error details: 2a01:4f8:201:57::3: Fetching http://d01vm01.atownsend.org.uk/.well-known/acme-challenge/wEkV1y2H1BUWXNbsfqC4gs3XWnCmSQMZE3yqqKev25k: Connection refused
[Fri 27 Feb 17:23:55 GMT 2026] Please add '--debug' or '--log' to see more information.
[Fri 27 Feb 17:23:55 GMT 2026] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
I then tried
acme.sh --standalone --issue -d d01vm01.atownsend.org.uk -w /home/www/html --server letsencrypt --debug
That's a bit more verbose and can be seen at https://map.atownsend.org.uk/tmp/d01vm01_acme_typescript.txt .
The common factor is that when a server for which a certificate is being sought is only accessible via IPV6, http://d01vm01.atownsend.org.uk/.well-known/acme-challenge/(whatever) fails. There's just one AAAA record for the DNS entry and I see nothing at https://letsencrypt.org/docs/ipv6-support/ or https://community.letsencrypt.org/search?q=ipv6%20order%3Alatest that suggests that it shouldn't work.
I don't believe that it is a routing problem at my end - I've restarted apache and both http://d01vm01.atownsend.org.uk and https://d01vm01.atownsend.org.uk are routed to the correct server (though the latter is obviously with a self-signed certificate currently).