Certbot + nginx + ipv6 + cloudflare issue

Hi! I run into following problem:
I have a nginx server hosting couple of domains, each of them have a separate ipv6 address.
For those domains to be available over the common (ipv4) internet they are using Cloudflare.

  • When I am trying to obtain cert using certbot --nginx command with cloudflare enabled I am getting
    urn:acme:error:tls :: The server experienced a TLS error during domain verification
    which is known problem since nginx plugin only supports tns-sni-01 aothentification method which cloudflare does not.

  • When I am switching cloudflare off I am getting

    urn:acme:error:malformed :: The request message was malformed :: No available addresses for getTLSSNICerts to dial
    Is there any possible way to handle this configuration?

@Prochitaem, If I have time I could test it with one of my test sites this evening or tomorrow, meanwhile you could try to use http challenge instead of tls challenge, this one won’t work with cloudflare terminating the TLS connection.

certbot certonly --webroot -w /path/to/your/document/root/ -d yourdomain.tld

Cheers,
sahsanu

Thanks for quick reply :slight_smile: This is possible way of using it, but I will have to repeat it for about 10 times every 90 days with a great risk of error :frowning:
The reason I am asking is that I want to automate all the process. I think that this is becoming more and more common situation (ipv6 and CDN) and if we will find a good solution for that it will be heplfull for comunity.

No, you don’t need to do it manually every 90 days. If the --webroot method works for you, you only need to perform that command manually once (like using certbot --nginx), after you get your cert, you can automate the renewal putting a certbot renew command (with the option to reload your services if you want) in your cron.

Can you share the actual domain name you’re trying to issue for? This error message was recently fixed to be more descriptive and relates to the DNS records for the domain name.

@cpu Yes! I`ve read it on GitHub - but current certbot repository for Ubuntu 16.04 contains certbot version 0.12.0
One of my domains: allxunder.com at [2001:bc8:28fc::a]

This was a server-side fix, in Boulder and you won’t see anything about it in the Certbot repository or need to update your certbot version. The error message will change after this week’s production update.

For this domain I can see that the Boulder VA found “2001:bc8:28fc::a” as the only available address for “allxunder.com”. It tried to connect to this IPv6 address at 2017-05-17T11:34:21.112182+00:00 and timed out. There were no IPv4 addresses to try afterwards, and you got the unforunately confusing error message about “No available addresses for getTLSSNICerts to dial” which should have said “no working IP addresses found for allxunder.com” which would hopefully be clearer.

I also see 100% packet loss going to 2001:bc8:28fc::a. Are you sure you have configured this host correctly? Are there firewall rules in place to prevent non-Cloudflare addresses from reaching the host?

Yes it seems to be unreachable now. When I am trying to reach it directly using
curl https://[2001:bc8:28fc::a]
it returns:
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

A certificate verification issue isn’t necessarily a problem. curl was connecting to https://[2001:bc8:28fc::a]/ and you probably don’t have a certificate for the IP address. (Some CAs offer them, but not many, and they’re not widely used.) You can use “curl -k” to disable certificate validation. (Just for testing.)

If i try to curl that URL, the connection times out.

If i try to visit http://allxunder.com/ or https://allxunder.com/, Cloudflare can’t connect to the origin either. They return an error page after a delay.

Seems like your origin is down to some or all of the Internet, whether or not you can access it from your local network. Are you sure it’s on, its connectivity is working, and there isn’t a firewall in the way?

1 Like

Well it seems to be some overlapping problems both with network and certbot - wiil solve network issues first :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.