Configuring a LE IPv4/Ipv6 on a home network server, Mac OS X Client

Hi, I have some questions about the LE certificate, IPv4/Ipv6, I would like your help.

  1. I have a DSL/Uverse Home Network ATT running a Mac OS X Client home server with DNS and Apache.
    Everything would be much easy if I could reverse my domain to their supplied static ip address but as you know this can be expensive and I am a small home server. I use the server for 3 domains and for testing/teaching and that does not justify this type of expense.

  2. I have DNS configured with the default domain www.domain.org, both LAN and WAN and I can call the domain in the browser and serve the website with no issues.

  3. The host name for the ATT connection is “Hostname: ATT”

  4. I do have a couple other domains serving in the same ip address and I can connect to each one of them without any issues.

  5. Apache redirects through virtual host from port 80 to port 443 on the IPv4 with no problem.

    • Here is where I am having the problem.
      From my computer, using the browser, I can connect to the IPv6 address but I have to bypass the Browser’s security restriction because it says that only the domain.org is in the certificate, not the IPV6 address or the hostname: “ATT”. Trying to connect to the IPv6 using a Tor rely, the connection do not even give me the option to bypass the restriction but it refuses completely to connect. Therefore, any browser will refuse to connect to the IPv6 address and gives a time out.

I have checked the DNS/IPv6 address using the Google DNS/Developer validation page and it passed to all the tests for IPv6.

https://developers.google.com/speed/public-dns/docs/troubleshooting

Therefore, I am suspecting that the IPv6 timeout is because the LE certificate for domain.org does not include both the ATT host and the configured IPv6 address, ipv6…

So, how do I get a LE certificate to resolve this issue?

Hi @ebonsi

a certificate has nothing to do with a timeout.

And Letsencrypt certificates have only domain names, not ip addresses.

But they can be used with working ipv4 and ipv6.

Your ipv6 2600:1700:b310:c2e0::2 doesn’t answer - https://check-your-website.server-daten.de/?q=2600%3A1700%3Ab310%3Ac2e0%3A%3A2

Maybe a firewall problem.

Maybe an internal problem of your local network (ipv6 doesn’t work). Maybe a wrong / not existing webserver configuration.

Do you have

Listen [::]:80
Listen [::]:443

directives? Works ipv6 internal? Works ping -6 or tracert -6 internal (no idea, if a Mac supports such commands).

1 Like

PS: Tracert works:

D:\temp>tracert 2600:1700:b310:c2e0::2

Routenverfolgung zu 2600:1700:b310:c2e0::2 ĂĽber maximal 30 Hops

2 18 ms 18 ms 17 ms 2003:0:8003:9800::1
3 119 ms 118 ms 118 ms att-gw.n54ny.t-systems.net [2001:1890:1fff:109:192:205:34:182]
4 * * * ZeitĂĽberschreitung der Anforderung.
5 188 ms 190 ms 190 ms n54ny21crs.ipv6.att.net [2001:1890:ff:ffff:12:122:131:102]
6 190 ms 190 ms 188 ms cgcil22crs.ipv6.att.net [2001:1890:ff:ffff:12:122:2:237]
7 189 ms 190 ms 190 ms cgcil21crs.ipv6.att.net [2001:1890:ff:ffff:12:122:2:53]
8 193 ms 190 ms 190 ms sffca21crs.ipv6.att.net [2001:1890:ff:ffff:12:122:1:174]
9 188 ms 189 ms 186 ms scaca403cts.ipv6.att.net [2001:1890:ff:ffff:12:122:137:185]
10 188 ms 188 ms 188 ms 2001:1890:ff:e167:12:83:105:126
11 * * * ZeitĂĽberschreitung der Anforderung.
12 211 ms 210 ms 212 ms 2001:506:7b31:df8::1
13 258 ms 213 ms 210 ms 2600:1700:b310:c2e0::2.

Looks like your webserver doesn’t work.

Yep, telnet 2600:1700:b310:c2e0::2 80 / 443 doesn’t work.

1 Like

Hi @JuergenAuer, Thanks for the answer! Telnet is closed on the server for security reasons!

I am able to access my website from the internet, port 80 redirected to port 443, otherwise I could not serve the LE certificate I have right now. Have you tried to access the domain through your browser?

Here is my Apache Configuration:

For httpd.conf

Change this to Listen on specific IP addresses as shown below to
prevent Apache from glomming onto all bound IP addresses.

#Listen 12.34.56.78:80
#Listen 80
Listen [::]:80

ServerName domain:80
ServerName 192.168.1.x:80

For the httpd-vhosts.conf

domain.org site

<VirtualHost :80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.
) https://%{SERVER_NAME}/$1 [R,L]
ServerAdmin webmaster@domain.org
DocumentRoot /Users/user/Sites
ServerName domain.org
ServerAlias www.domain.org

ipv6 domain.org site

<VirtualHost [ipv6]:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
ServerAdmin webmaster@domain.org
DocumentRoot /Users/user/Sites
ServerName domain.org
ServerAlias www.domain.org

domain.org site virtual host SSL 443

<VirtualHost *:443>
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
ServerAdmin webmaster@domain.org
ServerName domain.org
ServerAlias www.domain.org
DocumentRoot /Users/user/Sites
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLEngine on
SSLCertificateFile “/etc/letsencrypt/live/domain.org/cert.pem”
SSLCertificateKeyFile “/etc/letsencrypt/live/domain.org/privkey.pem”
SSLCertificateChainFile “/etc/letsencrypt/live/domain.org/chain.pem”
ErrorLog “/usr/local/apps/apache2/logs/error_log”
TransferLog “/usr/local/apps/apache2/logs/access_log”
CustomLog /usr/local/apps/apache2/logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”

for httpd-ssl.conf

Listen [::]:443

General setup for the virtual host

DocumentRoot /Users/user/Sites
ServerName www.domain.org:443
ServerAlias domain.org:443
ServerAdmin webmaster@domain.org
ErrorLog “/usr/local/apps/apache2/logs/error_log”
TransferLog “/usr/local/apps/apache2/logs/access_log”

SSL Engine Switch:
Enable/Disable SSL for this virtual host.
SSLEngine on
…

Pinging IPv6 address works just fine! I am pinging from the backup server that is just a replica and works as the main server.

[server:~] root# ping6 -n -I en1 ipv6
PING6(56=40+8+8 bytes) ipv6 --> ipv6
16 bytes from ipv6, icmp_seq=0 hlim=64 time=0.159 ms
16 bytes from ipv6, icmp_seq=1 hlim=64 time=0.165 ms
16 bytes from ipv6, icmp_seq=2 hlim=64 time=0.176 ms
16 bytes from ipv6, icmp_seq=3 hlim=64 time=0.171 ms
16 bytes from ipv6, icmp_seq=4 hlim=64 time=0.165 ms
16 bytes from ipv6, icmp_seq=5 hlim=64 time=0.172 ms
16 bytes from ipv6, icmp_seq=6 hlim=64 time=0.165 ms
16 bytes from ipv6, icmp_seq=7 hlim=64 time=0.169 ms
^C
— ipv6 ping6 statistics —
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.159/0.168/0.176/0.005 ms

You can select a port number with telnet and use it to check whether anything is listening on that port. Here @JuergenAuer just used telnet as a network testing tool.

I get the same result: your web server cannot accept connections from the public Internet on port 80 or port 443 (at least when using IPv6). That is presumably blocking Let’s Encrypt’s test connections. Maybe you are connecting to it from your internal network rather than from the outside world? Let’s Encrypt’s bots are going to connect from datacenters outside of your LAN.

Where are you testing that from? Are you testing using IPv4, IPv6, or both?

2 Likes

@schoen and @JuergenAuer, I do not doubt any of you, but how come I can serve my website from the internet?
if you enter the domain in the browser you get to the site! Port 80 and 443 must be working, otherwise I could not serve the site. Can you get to my site by typing the domain? The main problem is …as I stated before, my domain does not reverse to any of the ip address since it is a connection supplied by the host:
ATT
It must be a firewall issue on the ATT router itself then. The router does not give me manual alternatives to change any of that. In the ATT router it shows that port 80 and 443 is open to connection. I had hopes to make this work but it is beyond my access to configure the router. They only have a pre-set configuration and nothing we can do to change that. I am researching if they have a command line to the router. @schoen I use Tor to test the site!

@ebonsi, I just did some more tests and I’ve concluded that the problem is with a router or firewall’s treatment of IPv6. The web site is available in IPv4, but not in IPv6, even though the IPv6 address can be pinged.

Tor and many web browsers will either not support IPv6 or will ignore IPv6 failures, while the Let’s Encrypt bots do use IPv6 when an IPv6 address is listed.

I would conclude that you need to deal with the router or firewall IPv6 configuration (which might be different from the IPv4 configuration), or else remove the IPv6 AAAA records in DNS. (Do you know how they got there in the first place?)

1 Like

@schoen Yes, it is the router! The router have a section check to activate the IPv6.

Type Value
IPv6 Internet Address 2001:xxx
IPv6 Default Gateway fe80::216:4
IPv6 Delegated Prefix 2600:xxx::/60

I can turn the IPv6 off, but my whole purpose was to make this work! It just defeat my whole purpose. Uh!

Perhaps the router has a port forwarding section, where you can configure mappings between public ports and internal ports? If so, maybe it has some IPv4-specific rules that need to be duplicated for IPv6?

The worse is that this router does not have a manual, can you believe that? It seems like ATT just want the regular guy to use it and get the home network going and be happy with it!
Here is how the firewall is configured;

Server DNS Server - tcp 53 ipv4
udp 53 pv4
HTTPS Server - tcp 443 pv4
Web Server - tcp 80 pv4

It does not give an option to configure IPv6!
But they have a DMZ section> kind of a risk…

Allow all applications (DMZplus mode) - Set the selected computer in DMZplus mode. All inbound traffic, except traffic which has been specifically assigned to another computer using the “Allow individual applications” feature, will automatically be directed to this computer. The DMZplus-enabled computer is less secure because all unassigned firewall ports are opened for that computer.

Note: On LAN devices which have a Private IP address, once DMZplus mode is selected and you click save, the system will issue a new IP address to the selected computer. The computer must be set to DHCP mode to receive the new IP address from the system, and you must reboot the computer. If you are changing DMZplus mode from one computer to another computer, you must reboot both computers.

I’m sorry your router is so limited! Maybe you can find a forum specific to it where someone might be able to help you figure out how to get the port forwarding to work with IPv6?

Thanks both of you! ATT do not want people to have anything but a generic configuration. I’ve try port forwarding but it only forward ports for the IPv4 address. The only way to get things working is to get a tomato router and making a pass-through. However, I read that if one does that, they will lose their IPv6 address configuration supplied by the router. So, That is the End! :slight_smile:

My online tool can’t connect your ipv6 address - https://check-your-website.server-daten.de/?q=2600%3A1700%3Ab310%3Ac2e0%3A%3A2 . If the browser switch to ipv4, that’s not relevant.

Do you really use explicit ip addresses? Use <VirtualHost [::]:443>.

PS: Yep, I use telnet to check, if a connection via ipv6 is possible.

Thanks @JuergenAuer, I am using explicit virtual host for IPv6 only for port :80 forwarding to port *:443. I tested the explicit host before for both ports and end up not to work well for the other domains I serve. Everything would default to one domain only. We established that the issue is on the ATT router. It opens port 80 and 443 only for IPv4, some firewall rule embedded on the router that is not accessible to the client. Yes, I did use your tool to test, (very good one) and got the same thing. However, I was able to find out an issue regards the HSTS Configuration and was able to fix that. Now about the ATT router, I am researching if there is a command line I can use to configure some services.

PS: By the way, “telnet” was discontinued on the Mac. I was able to install using Home Brew last night. Opened port 23 but still did not got anything.

If there are any comfort to know, here is a reading on the ATT/Uverse router; Title: " U-verse and Static IP Addressing: Badly Broken!" http://www.ka9q.net/Uverse/static-ip.html

…and another reading:

Enabling IPv6 On My Home Network Part 2 AT&T

1 Like

There’s the telnet service (which is an obsolete way of doing a remote login, and uses port 23) and the telnet program (which is by default a client for the telnet service, and can make TCP connections on any specified port). @JuergenAuer is using the telnet program as a network testing tool and isn’t using port 23 at all. You don’t have to do anything with port 23 and the fact that he uses this tool for testing purposes doesn’t mean that the telnet service or port 23 is relevant to your situation.

The telnet program has always allowed you to specify a different port number. For example, if you run

telnet www.google.com 80

then you’ll make a TCP connection to Google’s web server on port 80. You might do this in order to see whether you have network connectivity, whether a firewall is blocking outbound connections, etc. You would then have to manually speak the HTTP protocol if you wanted to do anything with this connection, but it gives a different view than a browser because if the connection fails outright, you can clearly blame something at the TCP or IP layer rather than the HTTP layer.

2 Likes

Yep, thanks @schoen - the “telnet client” is more a simple text tcp client.

So it’s possible to check a mail port 25 or a port 80 and send the raw Http command.

Or checking port 443 if there is an answer (instead of a timeout).

2 Likes

@schoen, @JuergenAuer Thanks! I am looking to install a Tomato Firmware on a ASUS spare modem//router I have back in the garage. I am reading this post and I’ll get back to you guys when I do. I would interesting to test if that will work through.
UVerse IPv6 with Tomato router in passthrough mode


I’ll get back to you when I do! Thanks for your help!

1 Like

In regards to the problem we are having, other people got the same conclusion;

1 Like