I’ve got a few server with Ubuntu/Nginx where I have setup Let’s Encrypt on IPV4 on and they are working perfectly. I’d like to enable IPV6 and eventually HTTP/2.
My question is:
Is there anything I need to do to enable IPV6 on those hosts (save for the Nginx configuration) for Let’s encrypt to work?
In enabling HTTP/2 will I need to change anything in Let’s encrypt?
if you have a working ipv6 configuration, Letsencrypt will use it. If your ipv6 is broken (AAAA record, but no / different answer checking http + /.well-known/acme-challenge/random-filename), that blocks creating a new certificate.
As I know, the Letsencrypt validator currently doesn’t support http/2. But that’s not a problem, http 1.1 is used. More important: Tls.1.2 is required, the validator doesn’t use Tls.1.3.
Let’s Encrypt will work as long as you configured the address correctly. What you’ll need to do is:
Add IPV6 to your server
Configure Nginx to listen to IPV6
Make sure the IPV6 address is public and accessible (working)
After those your renewals should have no trouble.
Honestly if you want to enable HTTP/2 in Nginx, you just need to add a line to each virtual host… There’s minimum impact, and absolutely no impact to Let’s Encrypt if you do that right.
Hi, Thanks for your help so far. =) I got it running on one of my test servers but I still have one question. I see my settings listed as:
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
Can I edit these or will Certbot remove HTTP/2 if I add it? If not, where should I add it?
You can definitely edit those lines (and I would suggest you to remove the IPV6 only=on). Believe me, certbot won’t angrily scream at you
Just make sure the configuration is working (by doing
nginx -t before you reload / restart)
That is working now but Nginx is giving on a HTTP 404 on the IPV6 site. =(
Can you provide a Nginx host file (with
nginx -T)? Make sure you’ve bind your website to that domain.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.