Short: all works fine with Fritzbox configuration "IPv4 only" but not with IPv6.
Working Status:
I use domains from the domain provider: "https://www.domainssaubillig.de/"
As nameserver I use: Free DNS from Hurricane Electric with a ALIAS and CNAME entries both pointing to xyz.myfritz.net
In my fritzbox I have a forward rule to a local server (or reverse proxy).
It worked fine for years!
Problem:
Some time ago my dsl-Provider activated IPv6 and I'm no longer be able to recreate my certificates with Letsencrypt ACME (LettuceEncrypt on asp.net .net7).
It's seems like Hurricane Electric (https://dns.he.net/) always automatically add a AAAA-record with a IPv6 address pointing to my fritzbox (and not to the forwarded server).
So Letsencrypt cannot validate the HTTP-01 challange from my server.
I've read https://letsencrypt.org/de/docs/ipv6-support/:
Let’s Encrypt will always prefer the IPv6 addresses for the initial connection.
So the only way for me seems to fully disable IPv6 on my Fritzbox 7590.
Please Help:
I would really appreciate to get any help for a working solution with IPv6 enabled.
Am I the only person with such configuration - server behind a DSL-Router?
It would really help to know your actual domain name. Many times we see things that you will not.
But, from your general description, it sounds like your Fritzbox is not forwarding routing incoming IPv6 requests to your server. Do you need another rule or setting to handle this? You might find an answer in their docs, a Fritzbox forum (if there is such a thing), or even googling "fritzbox ipv6"
This doesn't sound like a Let's Encrypt problem. Anyone trying to use IPv6 will fail to reach your server.
But, from your general description, it sounds like your Fritzbox is not forwarding incoming IPv6 requests to your server.
I have added forwarding for IPv4 port 80, 443 AND IPv6 port 80, 443 (4 rules).
Do you need another rule or setting to handle this? You might find an answer in their docs, a Fritzbox forum (if there is such a thing), or even googling "fritzbox ipv6"
I do not think it is a problem with the Fritzbox configuration
This doesn't sound like a Let's Encrypt problem. Anyone trying to use IPv6 will fail to reach your server.
No, if I grab the IPv6 address from ipconfig it will work (without certificate of course).
It seems to be a problem with Hurricane Electric (https://dns.he.net/) in conjunction with LetsEncrypt not falling back to IPv4 as I understand - not being an expert.
The AAAA pointed to the fritzbox at 2003:f3:4fff:2bfe:9a9b:cbff:feae:c23 and NOT to the forwarded Server.
If I disable IPv6 in the fritzbox, the AAAA entry disapears and the certificate creation via LetsEnxrypt ACME works again.
It "works" because it will only "fallback" to IPv4 under certain conditions.
No response from IPv6 is one of those conditions.
As long as there is an AAAA record [that can't reach your site], you are creating a problem for anyone trying to access your site [who uses IPv6].
With IPv4 and NAT the destination IP address is the public IP address of the router and the router uses NAT and port forwarding to forward the packets to a host in the LAN.
However, with IPv6, there is no NAT. If anyone uses NAT with IPV6, they should be (...). All hosts in the LAN have, in principle, public IPv6 addresses (compared with the private address space for IPv4). The router works like a REAL router without NAT in the case of IPv6, in combination with a firewall to shield the LAN from all the bad guys on the internet. Thus requiring opening ports in the firewall, but no NAT or "port forwards".
Now, as I understand OP they want to put the IPv6 address of the server in the LAN into the AAAA resource record of the hostname, but for some reason their DNS provider Hurricane forces the AAAA RR to point to the routers IP address. Or at least something sets the value of the AAAA RR to the routers IP address.
@juergenr To me it sounds like you have some kind of feature running on your Fritzbox to update your Hurricane DNS. Do you actually need that? I.e., do you have a dynamic IP address? If your IP address is static, I'd recommend disabling such feature.
I wasn't implying NAT forwarding. I changed my comment to say it was not "routing" requests rather than "forwarding". To me "forwarding" is a generic term. I've worked with a wide variety of comms protocols and it's just how I think of packet movement.
That said, I think your explanation that this is a DNS problem is helpful. Looks like they've removed the AAAA record anyway so we may not find out the full solution.
Ah yes, but with IPv6, if the destination IP address of the incoming packet is the router itself, there's no forwarding to be done. Compared with IPv4 NAT. Or without NAT. Doesn't really matter.
With IPv6 the destination IP address of the incoming packet has to be the actual down-stream public IP address of the host itself. Actually, with IPv4 without NAT that's also the case
So NAT or no NAT, the principle regarding the destination IP address of the incoming packet is key here.
