After running certbot the connection is over IPv4 instead of IPv6

heiner · November 16, 2018, 9:00pm

Hello,

After running certbot --nginx the connection is established via IPv4 instead of IPv6 in Chrome. The server is running with a fresh Ubuntu 18.04.01 installation and Nginx 1.14.0. HTTPS is activated without problems.

Here is the Nginx configuration before running certbot:

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    if ($host = example.com) {
        return 301 https://www.$host$request_uri;
    }
    root /var/www/example.com/public;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    access_log /var/log/nginx/example.com.log;
    error_log /var/log/nginx/example.com-error.log error;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

Which names would you like to activate HTTPS for?
1: example.com
2: www.example.com
: 1 2

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect
2: Redirect
: 2

After running certbot:

server {
    server_name example.com www.example.com;
    if ($host = example.com) {
        return 301 https://www.$host$request_uri;
    }
    root /var/www/example.com/public;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    access_log /var/log/nginx/example.com.log;
    error_log /var/log/nginx/example.com-error.log error;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 404; # managed by Certbot
}

Thanks for your help!

mnordhoff · November 16, 2018, 9:10pm

What’s the domain?

Those two server blocks don’t look like they’d fail over IPv6. There could be an issue in another server block, or with something external to Nginx like a firewall.

heiner · November 16, 2018, 9:20pm

The firewall is now disabled but it still does not work. The domain is www.jobion.de

JuergenAuer · November 16, 2018, 9:22pm

Hi @heiner

I don't see an ipv6 - address.

D:\temp>nslookup www.jobion.de.
Name: www.jobion.de
Address: 159.69.152.93

mnordhoff · November 16, 2018, 9:22pm

http://jobion.de/ and https://jobion.de/ work for me on IPv6.

However, https://jobion.de/ redirects to https://www.jobion.de/, which doesn’t have an AAAA record in the DNS.

jobion.de.      3600  A     159.69.152.93
jobion.de.      3600  AAAA  2a01:4f8:1c0c:4caf::1

www.jobion.de.  3600  A     159.69.152.93

heiner · November 16, 2018, 9:35pm

True, non-www works with IPv6. I will add AAAA record for www in the DNS.

Thank you very much!

system · December 16, 2018, 9:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL works on Safari and Chrome but not Firefox Help	14	1343	July 28, 2021
Certbot-auto and Nginx Help	4	2208	April 21, 2017
Help Getting Nginx working with IPv6 Help	10	2228	April 9, 2021
Https of website not working after certbot installtion Help	8	828	March 17, 2023
Certbot renewal http-01 challenge - Cannot Connect Due to IPV6 Configurations Help	8	1928	June 28, 2017

After running certbot the connection is over IPv4 instead of IPv6

Related topics