certbot更新在ipv6上失败

Question

我使用LetsEncrypt CA作为SSL证书，并使用cron作业来更新它们。最近，我们的一个域移到了双ipv4 4/ipv4 6堆栈，现在该域的证书更新失败了：

Attempting to renew cert (nodrama.io) from /etc/letsencrypt/renewal/nodrama.io.conf produced an unexpected error: Failed authorization procedure.

www.nodrama.io (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization ::

Incorrect validation certificate for tls-sni-01 challenge.

Requested 1d2e60bbb911a0fa373af1c71068a98f.df68ccc953b03b03cbca639fa7b20469.acme.invalid from [2600:1f16:14a:7b00:e9ba:752c:feb8:49d5]:443.

Received 1 certificate(s), first certificate had names "5de1f81c71783962782726ac76156d00.51706d503a8be636f033680ff5a1664e.acme.invalid, dummy". Skipping.

如果我从nginx服务器配置中删除ipv6上的443，那么挑战就会通过，cert将被更新。把它带回来，然后内容就可以通过https在ipv6上使用了：

Connected to nodrama.io (2600:1f16:14a:7b00:e9ba:752c:feb8:49d5) port 443 (#0)
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK

Answer 1

将挑战从tls-sni改为：

-首选-挑战http

证书被续签了。