Internal - HTTP/HTTPs DCV over IPv4 vs IPv6

October 31, 2019 in SSL Technical FAQs

To diagnose the following error:

*** PROBLEM: Timed out! *** from the client server

Go into the ‘Change DCV method’ page in the certificate details, it shows you the hashes and unique value.

E.g. for order 282389992

The CSR's hashes are:

MD5 = 2A21EA6833E90E973B8C3132C387B7F7
SHA256 = 256DE3E30562F6A3C49DCAD18D7DCB080D73B8DD0F63A0E6FB6DC9A956B57513
uniqueValue = t0749619001572245494

So the things to try are:
wget -6 wssp.hainan.gov.cn/.well‐known/pki‐validation/2A21EA6833E90E973B8C3132C387B7F7.txt
and
wget -4 wssp.hainan.gov.cn/.well‐known/pki‐validation/2A21EA6833E90E973B8C3132C387B7F7.txt

If (especially from the IPv6 version) you get this error:
--2019-10-31 16:54:09-- http://wssp.hainan.gov.cn/.well‐known/pki‐validation/2A21EA6833E90E973B8C3132C387B7F7.txt
Resolving wssp.hainan.gov.cn (wssp.hainan.gov.cn)... failed: No address associated with hostname.
wget: unable to resolve host address ‘wssp.hainan.gov.cn’
That’s kinda OK because it means there is no IPv6 address in DNS for this domain.

The issue arises when both wgets returns are different.

If only the return retrieved over IPv4 holds the expected SHA256 hash, and the IPv6 version returns something else (i.e. a 404 error page), then this has hit the issue we’re trying to fix, which is caused by a misconfiguration at the customer’s side serving different content depending on the protocol.


If you want to get more log information, go to Kibana and search the following:

+"!AutoApplyOrder Error" -"Error 0: Request completed successfully!"

That will exclude the successful calls. A few accounts are set to log all their calls, successful or not.

You get a few more if you include AutoApplySSL

+("!AutoApplyOrder Error" OR +"!AutoApplySSL Error") -"0: Request completed successfully!"


References:
JIRA: SASP-562
DCV Checker: https://secure.sectigo.com/products/!checkaltdcvpublic

More information about how the HTTP CSR validation works can be found here: https://secure.trust-provider.com/api/pdf/webhostreseller/sslcertificates/Domain%20Control%20Validation%20v1.09.pdf