Hi, I have some questions about the LE certificate, IPv4/Ipv6, I would like your help.

1. I have a DSL/Uverse Home Network ATT running a Mac OS X Client home server with DNS and Apache.
   Everything would be much easy if I could reverse my domain to their supplied static ip address but as you know this can be expensive and I am a small home server. I use the server for 3 domains and for testing/teaching and that does not justify this type of expense.

2. I have DNS configured with the default domain www.domain.org, both LAN and WAN and I can call the domain in the browser and serve the website with no issues.

3. The host name for the ATT connection is “Hostname: ATT”

4. I do have a couple other domains serving in the same ip address and I can connect to each one of them without any issues.

5. Apache redirects through virtual host from port 80 to port 443 on the IPv4 with no problem.

6. • Here is where I am having the problem.
     From my computer, using the browser, I can connect to the IPv6 address but I have to bypass the Browser’s security restriction because it says that only the domain.org is in the certificate, not the IPV6 address or the hostname: “ATT”. Trying to connect to the IPv6 using a Tor rely, the connection do not even give me the option to bypass the restriction but it refuses completely to connect. Therefore, any browser will refuse to connect to the IPv6 address and gives a time out.

I have checked the DNS/IPv6 address using the Google DNS/Developer validation page and it passed to all the tests for IPv6.

https://developers.google.com/speed/public-dns/docs/troubleshooting

Therefore, I am suspecting that the IPv6 timeout is because the LE certificate for domain.org does not include both the ATT host and the configured IPv6 address, ipv6…

So, how do I get a LE certificate to resolve this issue?

Hi @ebonsi

a certificate has nothing to do with a timeout.

And Letsencrypt certificates have only domain names, not ip addresses.

But they can be used with working ipv4 and ipv6.

Your ipv6 2600:1700:b310:c2e0::2 doesn't answer - https://check-your-website.server-daten.de/?q=2600%3A1700%3Ab310%3Ac2e0%3A%3A2

Maybe a firewall problem.

Maybe an internal problem of your local network (ipv6 doesn't work). Maybe a wrong / not existing webserver configuration.

Do you have

Listen [::]:80
Listen [::]:443

directives? Works ipv6 internal? Works ping -6 or tracert -6 internal (no idea, if a Mac supports such commands).

PS: Tracert works:

D:\temp>tracert 2600:1700:b310:c2e0::2

Routenverfolgung zu 2600:1700:b310:c2e0::2 über maximal 30 Hops

2 18 ms 18 ms 17 ms 2003:0:8003:9800::1
3 119 ms 118 ms 118 ms att-gw.n54ny.t-systems.net [2001:1890:1fff:109:192:205:34:182]
4 * * * Zeitüberschreitung der Anforderung.
5 188 ms 190 ms 190 ms n54ny21crs.ipv6.att.net [2001:1890:ff:ffff:12:122:131:102]
6 190 ms 190 ms 188 ms cgcil22crs.ipv6.att.net [2001:1890:ff:ffff:12:122:2:237]
7 189 ms 190 ms 190 ms cgcil21crs.ipv6.att.net [2001:1890:ff:ffff:12:122:2:53]
8 193 ms 190 ms 190 ms sffca21crs.ipv6.att.net [2001:1890:ff:ffff:12:122:1:174]
9 188 ms 189 ms 186 ms scaca403cts.ipv6.att.net [2001:1890:ff:ffff:12:122:137:185]
10 188 ms 188 ms 188 ms 2001:1890:ff:e167:12:83:105:126
11 * * * Zeitüberschreitung der Anforderung.
12 211 ms 210 ms 212 ms 2001:506:7b31:df8::1
13 258 ms 213 ms 210 ms 2600:1700:b310:c2e0::2.

Looks like your webserver doesn't work.

Yep, telnet 2600:1700:b310:c2e0::2 80 / 443 doesn't work.

Hi @JuergenAuer, Thanks for the answer! Telnet is closed on the server for security reasons!

I am able to access my website from the internet, port 80 redirected to port 443, otherwise I could not serve the LE certificate I have right now. Have you tried to access the domain through your browser?

Here is my Apache Configuration:

For httpd.conf

Change this to Listen on specific IP addresses as shown below to
prevent Apache from glomming onto all bound IP addresses.

#Listen 12.34.56.78:80
#Listen 80
Listen [::]:80

ServerName domain:80
ServerName 192.168.1.x:80

For the httpd-vhosts.conf

domain.org site

<VirtualHost :80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.) https://%{SERVER_NAME}/$1 [R,L]
ServerAdmin webmaster@domain.org
DocumentRoot /Users/user/Sites
ServerName domain.org
ServerAlias www.domain.org

ipv6 domain.org site

<VirtualHost [ipv6]:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
ServerAdmin webmaster@domain.org
DocumentRoot /Users/user/Sites
ServerName domain.org
ServerAlias www.domain.org

domain.org site virtual host SSL 443

<VirtualHost *:443>
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
ServerAdmin webmaster@domain.org
ServerName domain.org
ServerAlias www.domain.org
DocumentRoot /Users/user/Sites
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/domain.org/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/domain.org/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/domain.org/chain.pem"
ErrorLog "/usr/local/apps/apache2/logs/error_log"
TransferLog "/usr/local/apps/apache2/logs/access_log"
CustomLog /usr/local/apps/apache2/logs/ssl_request_log
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

for httpd-ssl.conf

Listen [::]:443

General setup for the virtual host

DocumentRoot /Users/user/Sites
ServerName www.domain.org:443
ServerAlias domain.org:443
ServerAdmin webmaster@domain.org
ErrorLog "/usr/local/apps/apache2/logs/error_log"
TransferLog "/usr/local/apps/apache2/logs/access_log"

SSL Engine Switch:
Enable/Disable SSL for this virtual host.
SSLEngine on
....

Pinging IPv6 address works just fine! I am pinging from the backup server that is just a replica and works as the main server.

[server:~] root# ping6 -n -I en1 ipv6
PING6(56=40+8+8 bytes) ipv6 --> ipv6
16 bytes from ipv6, icmp_seq=0 hlim=64 time=0.159 ms
16 bytes from ipv6, icmp_seq=1 hlim=64 time=0.165 ms
16 bytes from ipv6, icmp_seq=2 hlim=64 time=0.176 ms
16 bytes from ipv6, icmp_seq=3 hlim=64 time=0.171 ms
16 bytes from ipv6, icmp_seq=4 hlim=64 time=0.165 ms
16 bytes from ipv6, icmp_seq=5 hlim=64 time=0.172 ms
16 bytes from ipv6, icmp_seq=6 hlim=64 time=0.165 ms
16 bytes from ipv6, icmp_seq=7 hlim=64 time=0.169 ms
^C
--- ipv6 ping6 statistics ---
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.159/0.168/0.176/0.005 ms

You can select a port number with telnet and use it to check whether anything is listening on that port. Here @JuergenAuer just used telnet as a network testing tool.

I get the same result: your web server cannot accept connections from the public Internet on port 80 or port 443 (at least when using IPv6). That is presumably blocking Let's Encrypt's test connections. Maybe you are connecting to it from your internal network rather than from the outside world? Let's Encrypt's bots are going to connect from datacenters outside of your LAN.

Where are you testing that from? Are you testing using IPv4, IPv6, or both?

@schoen and @JuergenAuer, I do not doubt any of you, but how come I can serve my website from the internet?
if you enter the domain in the browser you get to the site! Port 80 and 443 must be working, otherwise I could not serve the site. Can you get to my site by typing the domain? The main problem is …as I stated before, my domain does not reverse to any of the ip address since it is a connection supplied by the host:
ATT
It must be a firewall issue on the ATT router itself then. The router does not give me manual alternatives to change any of that. In the ATT router it shows that port 80 and 443 is open to connection. I had hopes to make this work but it is beyond my access to configure the router. They only have a pre-set configuration and nothing we can do to change that. I am researching if they have a command line to the router. @schoen I use Tor to test the site!

@ebonsi, I just did some more tests and I’ve concluded that the problem is with a router or firewall’s treatment of IPv6. The web site is available in IPv4, but not in IPv6, even though the IPv6 address can be pinged.

Tor and many web browsers will either not support IPv6 or will ignore IPv6 failures, while the Let’s Encrypt bots do use IPv6 when an IPv6 address is listed.

I would conclude that you need to deal with the router or firewall IPv6 configuration (which might be different from the IPv4 configuration), or else remove the IPv6 AAAA records in DNS. (Do you know how they got there in the first place?)

@schoen Yes, it is the router! The router have a section check to activate the IPv6.

I can turn the IPv6 off, but my whole purpose was to make this work! It just defeat my whole purpose. Uh!

Perhaps the router has a port forwarding section, where you can configure mappings between public ports and internal ports? If so, maybe it has some IPv4-specific rules that need to be duplicated for IPv6?

The worse is that this router does not have a manual, can you believe that? It seems like ATT just want the regular guy to use it and get the home network going and be happy with it!
Here is how the firewall is configured;

|Server DNS Server|-|tcp|53|ipv4|
| --- | --- | --- | --- | --- | --- |
|udp|53|pv4|
|HTTPS Server|-|tcp|443|pv4|
|Web Server|-|tcp|80|pv4|
It does not give an option to configure IPv6!
But they have a DMZ section> kind of a risk...

Allow all applications (DMZplus mode) - Set the selected computer in DMZplus mode. All inbound traffic, except traffic which has been specifically assigned to another computer using the "Allow individual applications" feature, will automatically be directed to this computer. The DMZplus-enabled computer is less secure because all unassigned firewall ports are opened for that computer.

Note: On LAN devices which have a Private IP address, once DMZplus mode is selected and you click save, the system will issue a new IP address to the selected computer. The computer must be set to DHCP mode to receive the new IP address from the system, and you must reboot the computer. If you are changing DMZplus mode from one computer to another computer, you must reboot both computers.

I’m sorry your router is so limited! Maybe you can find a forum specific to it where someone might be able to help you figure out how to get the port forwarding to work with IPv6?

Thanks both of you! ATT do not want people to have anything but a generic configuration. I’ve try port forwarding but it only forward ports for the IPv4 address. The only way to get things working is to get a tomato router and making a pass-through. However, I read that if one does that, they will lose their IPv6 address configuration supplied by the router. So, That is the End!

My online tool can't connect your ipv6 address - https://check-your-website.server-daten.de/?q=2600%3A1700%3Ab310%3Ac2e0%3A%3A2 . If the browser switch to ipv4, that's not relevant.

Do you really use explicit ip addresses? Use <VirtualHost [::]:443>.

PS: Yep, I use telnet to check, if a connection via ipv6 is possible.

Thanks @JuergenAuer, I am using explicit virtual host for IPv6 only for port :80 forwarding to port *:443. I tested the explicit host before for both ports and end up not to work well for the other domains I serve. Everything would default to one domain only. We established that the issue is on the ATT router. It opens port 80 and 443 only for IPv4, some firewall rule embedded on the router that is not accessible to the client. Yes, I did use your tool to test, (very good one) and got the same thing. However, I was able to find out an issue regards the HSTS Configuration and was able to fix that. Now about the ATT router, I am researching if there is a command line I can use to configure some services.

PS: By the way, “telnet” was discontinued on the Mac. I was able to install using Home Brew last night. Opened port 23 but still did not got anything.

If there are any comfort to know, here is a reading on the ATT/Uverse router; Title: " U-verse and Static IP Addressing: Badly Broken!" http://www.ka9q.net/Uverse/static-ip.html

…and another reading:

Enabling IPv6 On My Home Network Part 2 AT&T

There's the telnet service (which is an obsolete way of doing a remote login, and uses port 23) and the telnet program (which is by default a client for the telnet service, and can make TCP connections on any specified port). @JuergenAuer is using the telnet program as a network testing tool and isn't using port 23 at all. You don't have to do anything with port 23 and the fact that he uses this tool for testing purposes doesn't mean that the telnet service or port 23 is relevant to your situation.

The telnet program has always allowed you to specify a different port number. For example, if you run

telnet www.google.com 80

then you'll make a TCP connection to Google's web server on port 80. You might do this in order to see whether you have network connectivity, whether a firewall is blocking outbound connections, etc. You would then have to manually speak the HTTP protocol if you wanted to do anything with this connection, but it gives a different view than a browser because if the connection fails outright, you can clearly blame something at the TCP or IP layer rather than the HTTP layer.

Yep, thanks @schoen - the “telnet client” is more a simple text tcp client.

So it’s possible to check a mail port 25 or a port 80 and send the raw Http command.

Or checking port 443 if there is an answer (instead of a timeout).

@schoen, @JuergenAuer Thanks! I am looking to install a Tomato Firmware on a ASUS spare modem//router I have back in the garage. I am reading this post and I’ll get back to you guys when I do. I would interesting to test if that will work through.
UVerse IPv6 with Tomato router in passthrough mode

In regards to the problem we are having, other people got the same conclusion;

Hello @schoen and @JuergenAuer,
First I would like to thank your both to follow up with this post. After researching and reading a lot, I decided for a configuration that so far is helping. Not how is supposed to be by any meanings but it is working.

I got an ASUS router and put it behind of the AT&T router on the DMZ passthrough mode. AT&T used to let us assign a fixed IPv6 but somehow they got very anxious to monetize on the IPv6 market and probably decided to restrict that feature for home network connections even thou, there are gazillions of IPV6 addresses avaliable. That was not by any means the philosophy of the IETF.org (Internet Engineer Task Force) that developed the IPv6 protocol so everyone would have unrestricted access to it. I use my home network server for educational purposes. My intention is to give a clean open source access to a "home server configuration" so others can also develop their own server and do their own testing on software and network troubleshooting. Anyway,

1. first, I transferred the AT&T router to a different subnet, (I did not want to disturb my wife from my blow up tests while she is watching her favor program on TV. ) Do not worry, you will be able to contact the router again using that subnet you pick up from the AT&T router DHCP configuration.

   1.a To change the AT&T router to a different subnet, Chose Settings > LAN > DHCP > DHCP Network range: 172.16.0.0, save your configuration.

Then re-start the computer and put the address 172.16.0.1 in your browser to contact the AT&T router. ***If you encounter any issues in contacting the AT&T router, just unplug and plug the router again.

2. (Important!) Login into the AT&T router again and go to Settings > System Informations> Event Notifications and check Enable the detection of router behind router conditions. Save!

3. Then connect the LAN port of the AT&T router to the WAN port of your secondary router, in my case the ASUS router. Boot (turn on) your ASUS router.

4. In the AT&T router, Go to Settings > Firewall > Applications Pinholes and DMZ.
   Choose your ASUS router there! It is not intuitive and most likely will have a strange number associated with the word that might look like this. "Unknown0849570048g96758". If you cannot find which one in the pool of names there, go back to Settings > LAN > Devices and start to try one by one until you find which one is the ASUS Router. Ok, continuing... after you select or choose your device, click down bellow to put in DMZ plus mode. A.K.A Allow All Aplications (DMZ Plus Mode)

5. Save and Voila, your ASUS Router will pick up the subnet 192.168.1.0 and the ASUS will be assigned to 192.168.1.1 and your static IPv4 from AT&T will be there.

After that I went on configuring IPv6 on the ASUS based on the information broadcasted from the AT&T router. Helpful commands are:

root# ndp -an

root# netstat -nr | grep "default"

root# ifconfig

Since AT&T limited (probably restricted, not sure yet) the assignment of static IPv6, put your Mac OS X network card on "automatic" and you will be assigned a temp IPv6. To this point your temp IPv6 should work and you will probably get a green light on; https://ipv6-test.com/ and https://test-ipv6.com/
It is a limitation because you won't be able to configure DNS BIND properly but I found a way to make it work (indirectly) and that is another story. Anyway, now you can go get your Certificates using Certbot.

By the way, it was my first time using Certbot and it work just fine! First, I installed Certbot using Home Brew. Remember that Home Brew does not work as root but with your admin account.

[youraccount]# brew install Certbot

Certbot will be installed on /usr/local/Cellar/Certbot

After that, you can do this as root, cd to /usr/local/Cellar/Certbot

server:certbot server$ sudo certbot certonly --apache

Obs: I got some errors initially and I had to run this command several times because Certbot was looking for an old Cert Configuration file left in there on /etc/Letsencrypt/renewal by the last authentication method. I checked those files and I had to clean them up and let Certbot build his own configuration. Here is how that file looks like;

This is how the file looks like on /etc/Letsencrypt/renewal/domain.conf

renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/domain.org/cert.pem
privkey = /etc/letsencrypt/live/domain.org/privkey.pem
chain = /etc/letsencrypt/live/domain.org/chain.pem
fullchain = /etc/letsencrypt/live/domain.org/fullchain.pem
version = 0.37.1
archive_dir = /etc/letsencrypt/archive/domain.org

Options and defaults used in the renewal process
[renewalparams]
installer = apache
authenticator = apache
account = 23544b7afdf456vby7890234eff <--bogus code just for display (do not use)
server = https://acme-v02.api.letsencrypt.org/directory

Here is my installation logs;

https://certbot.eff.org/lets-encrypt/osx-apache

First command: [server:local/Cellar/certbot] root# sudo certbot certonly --apache

server:~ server$ cd /usr/local/Cellar/certbot
server:certbot server$ sudo certbot certonly --apache
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): hostmaster@server.org

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

(A)gree/(C)ancel: A

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?

1: domain.com
2: www.domain.com
3: domain.com
4: www.domain.com
5: serverdomain.org
6: www.serverdomain.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2 3 4 5 6

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/domain.com.conf)

It contains these names: domain.com, www.domain.com

You requested these names for the new certificate: domain.com, www.domain.com,
domain.com, www.domain.com, server.org, www.server.org.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for domain.com
http-01 challenge for server.org
http-01 challenge for www.domain.com
http-01 challenge for www.domain.com
http-01 challenge for www.server.org
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/domain.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/domain.com/privkey.pem
  Your cert will expire on 2019-11-27. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew all of your certificates, run
  "certbot renew"

• Your account credentials have been saved in your Certbot
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Certbot so
  making regular backups of this folder is ideal.

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
  Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

[server:local/Cellar/certbot] root# sudo certbot certonly --apache

Which names would you like to activate HTTPS for?

1: domain.com
2: www.domain.com
3: domain.com
4: www.domain.com
5: server.org
6: www.server.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 5 6
Cert is due for renewal, auto-renewing...
Renewing an existing certificate

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/server.org/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/server.org/privkey.pem
  Your cert will expire on 2019-11-27. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew all of your certificates, run
  "certbot renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
  Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

[server:local/Cellar/certbot] root# sudo certbot certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: domain.com
2: www.domain.com
3: domain.com
4: www.domain.com
5: server.org
6: www.server.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Cert is due for renewal, auto-renewing...
Renewing an existing certificate

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/domain.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/domain.com/privkey.pem
  Your cert will expire on 2019-11-27. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew all of your certificates, run
  "certbot renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
  Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

[server:local/Cellar/certbot] root# cd
end |

**

Next command: sudo certbot renew

**

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.