1 (edited by Akiba 2020-07-22 18:21:40)

Topic: Certs don't renew after IPv6 enabled

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.0 MARIADB edition
- Deployed with iRedMail Easy or the downloadable installer? No
- Linux/BSD distribution name and version: Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I'm unable to renew letsencrypt certificates after enabling IPv6 in nginx.
sudo certbot certonly --webroot --dry-run -w /var/www/html -d mail.domain1.eu -d mail.domain2.pl
results in
==
Failed authorization procedure. mail.domain1.eu (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://mail.domain1.eu/.well-known/acm … nge/xxx... : Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
   Domain: mail.domain1.eu
   Type:   connection
   Detail: Fetching
   https://mail.domain1.eu/.well-known/acm … nge/xxx... :
   Timeout during connect (likely firewall problem)
==

:~$ sudo lsof -i -P -n | grep LISTEN
...
nginx     21381            root    8u  IPv4 374362      0t0  TCP *:443 (LISTEN)
nginx     21381            root    9u  IPv6 374363      0t0  TCP *:443 (LISTEN)
nginx     21381            root   10u  IPv6 374364      0t0  TCP *:80 (LISTEN)
nginx     21381            root   11u  IPv4 374365      0t0  TCP *:80 (LISTEN)
nginx     21382        www-data    8u  IPv4 374362      0t0  TCP *:443 (LISTEN)
nginx     21382        www-data    9u  IPv6 374363      0t0  TCP *:443 (LISTEN)
nginx     21382        www-data   10u  IPv6 374364      0t0  TCP *:80 (LISTEN)
nginx     21382        www-data   11u  IPv4 374365      0t0  TCP *:80 (LISTEN)

All in all I don't know what to do. Please advise.

2

Re: Certs don't renew after IPv6 enabled

As per this entry https://letsencrypt.org/docs/ipv6-support/ letsencrypt will not renew if there exists a redirect from http to https.
I therefore temporarily disabled ssl and the redirect and managed to renew certs.
Trouble is the webserver is still unreachable using ipv6, which I have tested here: https://ipv6-test.com/validate.php

IPv6 validation for https://mail.domain1.eu
Tested on         Wed, 22 Jul 2020 14:59:03 GMT
AAAA DNS record         xxxx:xxxx:x:xxx::1
IPv6 web server         web server is unreachable : Connection timed out

Before trying all this I followed these instructions to configure IP addresses in Ubuntu: https://www.netcup-wiki.de/wiki/Zus%C3% … ieren#IPv6
IPv6 rDNS is working on the server.
What else needs doing?

3

Re: Certs don't renew after IPv6 enabled

Does the web host in Nginx have IPv6 enabled? For example, in file /etc/nginx/sites-enabled/xxx.conf:

server {
    listen [::]:443 ...;
    ...
}

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

4

Re: Certs don't renew after IPv6 enabled

ZhangHuangbin wrote:

Does the web host in Nginx have IPv6 enabled? For example, in file /etc/nginx/sites-enabled/xxx.conf:

server {
    listen [::]:443 ...;
    ...
}

Yes, of course, it is. Nginx is enabled for IPV6 at port 443 and 80.

5

Re: Certs don't renew after IPv6 enabled

Try this command:

curl -k https://<IPv6-address>/.well-known/acme-challenge/abc.txt

Replace "<IPv6-address>" in above url by the real IPv6 address of your server. The file name "abc.txt" doesn't matter in this case, we just want to know which directory Nginx actually accesses. You should figure it out in its log file /var/log/nginx/error.log.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

6

Re: Certs don't renew after IPv6 enabled

ZhangHuangbin wrote:

Try this command:

curl -k https://<IPv6-address>/.well-known/acme-challenge/abc.txt

Replace "<IPv6-address>" in above url by the real IPv6 address of your server. The file name "abc.txt" doesn't matter in this case, we just want to know which directory Nginx actually accesses. You should figure it out in its log file /var/log/nginx/error.log.

There was nothing in the error log corresponding to the request.
However I got the following output in the terminal:

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

It looks like a standard 404 error page.
But maybe certs will now be renewing properly, as I have just achieved proper ipv6 connectivity validated by https://ipv6-test.com/validate.php. To do this I had to use an IP6 address based on the hardware mac address, not an arbitrary IP6 set up in the rdns field of the server's control panel. Mails now get sent from IP4 and IP6 alternately. I will check to generate certs shortly.