1 Topic by Stephen77

  • Stephen77
  • Member
  • Offline
  • Registered: 2018-07-30
  • Posts: 18

Topic: Turn on with ipv6 in nginx

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 2020041601
- Deployed with iRedMail Easy or the downloadable installer? Easy
- Linux/BSD distribution name and version: Ubuntu 18.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? YES
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello,

We had ipv6 working with iRedmail and then subscribed to the Easy installer which seems to have turned off ipv6 with nginx and now our LetsEncrypt certificate will not update and is expiring in a few days.

Would appreciate if someone could share *simple* instructions to add the --with-ipv6 parameter for Ubuntu 18.04 to turn this back on again.

Thanks a lot,
Stephen

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Turn on with ipv6 in nginx

iRedMail Easy detects IPv6 while deploying, if IPv6 is available, it enables IPv6 support in Nginx/Postfix/Dovecot.
For Nginx, please check /etc/nginx/sites-enabled/00-default-ssl.conf, does it contain line like below?

    listen [::]:443 ssl;

As a temporary fix, please enable it and restart Nginx service, then renew the cert.

3 Reply by Stephen77

  • Stephen77
  • Member
  • Offline
  • Registered: 2018-07-30
  • Posts: 18

Re: Turn on with ipv6 in nginx

ZhangHuangbin wrote:

iRedMail Easy detects IPv6 while deploying, if IPv6 is available, it enables IPv6 support in Nginx/Postfix/Dovecot.
For Nginx, please check /etc/nginx/sites-enabled/00-default-ssl.conf, does it contain line like below?

    listen [::]:443 ssl;

As a temporary fix, please enable it and restart Nginx service, then renew the cert.


Hi Zhang,

Yes, that line is already active in 00-default-ssl.conf.  It has both listen 443 ssl; and listen [::]:443 ssl;  The problem I have is that when I type : nginx -V it responds with what is below:
Prior to the upgrade it used to have --with-ipv6

As you can see that has now gone, so I need to make that active again, but don't know how to add the --with-ipv6 back to the nginx configuration.

Thanks a lot,
Stephen



nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-GkiujU/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-echo --add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-subs-filter

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Turn on with ipv6 in nginx

iRedMail (and iRedMail Easy) installs Nginx from Ubuntu apt repo directly, did you remove nginx and install it from another apt repo?

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Turn on with ipv6 in nginx

I didn't a quick test, "nginx -V" doesn't print "--with-ipv6", but it still supports IPv6.

When you run "netstat -ntlp", does it show you IPv6 port :::80 and :::443?

6 Reply by Stephen77

  • Stephen77
  • Member
  • Offline
  • Registered: 2018-07-30
  • Posts: 18

Re: Turn on with ipv6 in nginx

Thanks Zhang, no i didn't reinstall nginx separately from the Easy install.  and Yes, jetstar is reporting :::80 and :::443 and all the mail ports as well.  So if it is supporting ipv6 do you know why the Certificate renewal is failing:

Replaced our domain with 'domain':
Attempting to renew cert (mail.domain.co.nz) from /etc/letsencrypt/renewal/mail.domain.co.nz.conf produced an unexpected error: Failed authorization procedure. mail.domain.co.nz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://mail.domain.co.nz/.well-known/a … BCJwzLTZUA [2403:7000:8000:300::eb]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.domain.co.nz/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Turn on with ipv6 in nginx

With iRedMail Easy, Nginx is configured to handle the /.well-known/ directory with directory /opt/www/well_known/. Does your certbot config file updated to use this directory?

Please show us full content of file /etc/letsencrypt/renewal/mail.domain.co.nz.conf.  Note: please hide sensitive info before pasting.

8 Reply by Stephen77

  • Stephen77
  • Member
  • Offline
  • Registered: 2018-07-30
  • Posts: 18

Re: Turn on with ipv6 in nginx

Hi Zhang,

Thanks a lot for your help and yes this worked.  In the mail.domain.co.nz.conf file it was showing as :

mail.domain.co.nz = /var/www/html

when I changed it to :

mail.domain.co.nz = /opt/www/well_known

it now has renewed successfully.  For anyone else copying this please note that there is no '/' after well_known.

Thanks,



ZhangHuangbin wrote:

With iRedMail Easy, Nginx is configured to handle the /.well-known/ directory with directory /opt/www/well_known/. Does your certbot config file updated to use this directory?

Please show us full content of file /etc/letsencrypt/renewal/mail.domain.co.nz.conf.  Note: please hide sensitive info before pasting.