After running certbot the connection is over IPv4 instead of IPv6


#1

Hello,

After running certbot --nginx the connection is established via IPv4 instead of IPv6 in Chrome. The server is running with a fresh Ubuntu 18.04.01 installation and Nginx 1.14.0. HTTPS is activated without problems.

Here is the Nginx configuration before running certbot:

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    if ($host = example.com) {
        return 301 https://www.$host$request_uri;
    }
    root /var/www/example.com/public;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    access_log /var/log/nginx/example.com.log;
    error_log /var/log/nginx/example.com-error.log error;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

Which names would you like to activate HTTPS for?
1: example.com
2: www.example.com
: 1 2

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect
2: Redirect
: 2

After running certbot:

server {
    server_name example.com www.example.com;
    if ($host = example.com) {
        return 301 https://www.$host$request_uri;
    }
    root /var/www/example.com/public;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    access_log /var/log/nginx/example.com.log;
    error_log /var/log/nginx/example.com-error.log error;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 404; # managed by Certbot
}

Thanks for your help!


#2

What’s the domain?

Those two server blocks don’t look like they’d fail over IPv6. There could be an issue in another server block, or with something external to Nginx like a firewall.


#3

The firewall is now disabled but it still does not work. The domain is www.jobion.de


#4

Hi @heiner

I don’t see an ipv6 - address.

D:\temp>nslookup www.jobion.de.
Name: www.jobion.de
Address: 159.69.152.93


#5

http://jobion.de/ and https://jobion.de/ work for me on IPv6.

However, https://jobion.de/ redirects to https://www.jobion.de/, which doesn’t have an AAAA record in the DNS.

jobion.de.      3600  A     159.69.152.93
jobion.de.      3600  AAAA  2a01:4f8:1c0c:4caf::1

www.jobion.de.  3600  A     159.69.152.93

#6

True, non-www works with IPv6. I will add AAAA record for www in the DNS.

Thank you very much!