Errata - November 2017 IPv6 Issues

Summary

Due to defects related to IPv6 in cPanel that appeared in version 68, users of the FleetSSL cPanel plugin may find that their servers/domains with AAAA records may fail to issue or renew certificates.

Details

Two defects affecting IPv6 in cPanel currently exist:

  • EA-6256: IPv6 server main address is not being included in the main shared virtual host in httpd.conf
  • CPANEL-16878: get_local.cgi (which relates to routing DCV requests for proxy subdomains) does not handle IPv6 properly

Unfortunately these defects affect FleetSSL cPanel in particular because Let’s Encrypt connects to IPv6 addresses rather than IPv4 addresses if an AAAA record exists for the domain in question.

Any new issuances/renewals for either the server hostname or proxy subdomains that have AAAA records will fail.

cPanel has indicated to us that these bugs are scheduled to be fixed in cPanel 70, which will be mid-Q1 2018. Because of this delay, we have decided to implement a permanent IPv6to4 workaround in the plugin itself, which has been included in version 0.12.0. However, this workaround is opt-in, and you will need to refer to the instructions below.

Diagnosis

This issue will only occur for domains with AAAA (IPv6) DNS records.

You may receive a certificate renewal failure notice that looks like:

Error 400: Bad Request

No cPanel user controls a local domain called “XXXXX”.

or similar HTTP 400/HTTP 500 errors.

Workaround

You must be on EasyApache 4 + Apache 2.4 series, and plugin version 0.12.0 to use this workaround.

  1. Open WHM -> Apache Configuration -> Include Editor -> Pre Main Include -> All Versions.

  2. To the bottom of the text, append the following:

RewriteEngine On
RewriteOptions InheritBefore
RewriteCond %{IPV6} on
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/(.*)$
RewriteRule "^/\.well-known/acme-challenge/(.*)$" "http://127.0.0.1:5959/6to4proxy?domain=%{HTTP_HOST}&challenge-path=$1" [P]

Save the include and ensure that Apache is restarted.