Certificate for website with only AAAA (IPV6) record

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: db.manavmahan.de

I ran this command: sudo certbot --apache

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: db.manavmahan.de

2: energy.manavmahan.de


Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 1

Requesting a certificate for db.manavmahan.de

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: db.manavmahan.de

Type: connection

Detail: 2a02:908:1583:d3a0:e6b9:7aff:fe3c:7435: Fetching http://db.manavmahan.de/.well-known/acme-challenge/VhYvQZmDAaqCmTj3od1SwTvzdAqoekWkCdae49fyKfk: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is: Vodafone with DSLite

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.21.0

the content of .conf file

<VirtualHost *:80>
 ServerName db.manavmahan.de
 DocumentRoot "/var/www/nextcloud"

 ErrorLog ${APACHE_LOG_DIR}/error_collabora.log
 CustomLog ${APACHE_LOG_DIR}/access_collabora.log combined

<Directory /var/www/html/>
 Options +FollowSymlinks
 AllowOverride All

 <IfModule mod_dav.c>
 Dav off
 </IfModule>

 SetEnv HOME /var/www/html
 SetEnv HTTP_HOME /var/www/html
 Satisfy Any

</Directory>

</VirtualHost>

Is there a specific question you'd like to address with your thread? :slight_smile:

1 Like

your firewall denied connection to it. ipv6 giving server behind router uniquie address doesn't mean it firewalls are ignore traffic over it.

edit: I was wrong, ignore tilted text
and that address looks like a ephemeral one: are you sure the server still holds that address? server will rotate privacy temporally address every 24 hours

4 Likes

You sure? Looks like a SLAAC address based on the MAC address of the link looking at the :FF:FE:. See IPv6 address - Wikipedia for more information. -> The MAC address E4:B9:7A:3C:74:35 seems to match a Dell Inc. MAC address range (MAC Address Lookup - MAC/OUI Vendor Search).

Anyway, I agree with your firewall statement. Looking at the traceroute I believe it's being blocked outside the range of OPs IP address (blocked at 2a02:908:1500:8::c7f), so maybe a setting in the ISPs firewall? Or maybe the ISP blocks incoming access altogether, I dunno.

2 Likes

FWIW, their AAAA is now: 2a02:908:1583:d3a0:8d99:1ca:ed2e:180d

But, a traceroute still ends where Osiris saw it end earlier

sudo traceroute -6 -T -p 443 db.manavmahan.de
traceroute to db.manavmahan.de (2a02:908:1583:d3a0:8d99:1ca:ed2e:180d), 30 hops max, 80 byte packets
 1  * * *
  ...
13  2620:107:4000:cfff::f202:d543 (2620:107:4000:cfff::f202:d543)  0.972 ms * *
14  de-ess01a-cr08-eth-6-0-1080.ess.unity-media.net (2a02:908:0:36f::2)  95.745 ms *  95.829 ms
15  2a02:908:1500:8::c7f (2a02:908:1500:8::c7f)  109.643 ms !X vodafonede-gw.dus.cw.net (2001:5000:0:173::2)  83.526 ms 2a02:908:1500:8::c7f (2a02:908:1500:8::c7f)  109.594 ms !X

I think this confirms

4 Likes

For example, you could have a globally unique and routable IPv6 address, but your router could still block incoming connections to it by default!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.