Help Getting Nginx working with IPv6

Hey guys, I've noticed that Certbot has transitioned over to using IPv6 for Domain verification. This caused a problem with my certificate renewals as I apparently do not have something configured correctly. I have two domains, and I went ahead and temporarily removed the DNS AAAA records so that I could manually force a certificate renewal over IPv4; but this is only a work around instead of an actual solution. I was wondering if anyone could help me set up Nginx properly to listen on IPv6 connections. Currently I have my serverblocks for each subdomain configured like so:

#HTTPS Port 443 Configuration
server	{
	listen  443		ssl http2;
	listen  [::]:443	ssl http2;

	location / {
		root /data/www/codedragon;
		index index.html index.htm index.php;
		try_files $uri $uri/ =404;

	location ~/\.ht {
		deny all;
	# SSL Configuration
	add_header Strict-Transport-Security	"max-age=15768000; includeSubDomains; preload;" always;
    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
    	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        # OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/letsencrypt/live/;

# HTTP Port 80 Configuration

server	{
    if ($host = {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    	if ($host = {
        return 301 https://$host$request_uri;
    	} # managed by Certbot

    	listen 80;
        listen [::]:80;
   	return 404; # managed by Certbot

I apologize for the odd formatting, but it seems to be an issue with the forum's implementation of Mardown.

I thought I had it set up properly but apparently I do not. Also, this command reports the following:

sudo netstat -tulpna | grep nginx
tcp        0      0    *               LISTEN      5506/nginx: master  
tcp        0      0   *               LISTEN      5506/nginx: master  
tcp        0      0      ESTABLISHED 8365/nginx: worker  
tcp6       0      0 :::80                   :::*                    LISTEN      5506/nginx: master  
tcp6       0      0 :::443                  :::*                    LISTEN      5506/nginx: master 

Yet Certbot still doesn't work when I have AAAA records in my DNS records.

1 Like

Oh and of course, I've checked my firewall and it allows incoming IPv6 to both ports 80 and 443.

1 Like

Hi @CodeDragon5793

checking your DNS there is no AAAA record.

What's your ipv6?

1 Like

I've temporarily removed my AAAA records. That isn't the problem.

That is a problem, so it's impossible to check your configuration.

But I don't need an AAAA record, I need your ipv6.

1 Like

I think you misunderstand what I was asking, otherwise you wouldn't insist that a lack of AAAA records is a problem. Certbot has been updated to perform domain validation over IPv6. This caused a problem for me just now when I went to update a certificate. Searching the problem on the internet lead me to this thread initially: Type: unauthorized Detail: Invalid response from - #2 by schoen - which detailed an error very similar to my own initial error. In the thread, someone posted this:

Let’s Encrypt recently changed to preferring validations over IPv6 if a site has an AAAA record. Many people’s sites, it turns out, do have AAAA records but are not properly set up to receive incoming web connections via IPv6.

I then did a little more digging, and found this thread: Certbot, force IPv4?, and I followed your very own advice here.

You can

  • remove the ipv6 entry
  • add a redirect ipv6 domain -> other domain (or new subdomain) only with ipv4 on your ipv4 config and use that. Letsencrypt follows such redirects (port 80 or 443)

After that, I went and did some more digging to find this:

There I noticed that my Nginx server blocks were almost correct. My HTTPS blocks were set up for IPv6, but my HTTP blocks were not. So I updated them to include the listen [::]:80 directive. That still didn't work even though the netstat command shows that nginx is indeed listening for incoming IPv6 traffic on both HTTP ports.

As for your request for my IPv6 address, here you go: 2600:3c02::f03c:92ff:fe78:2587/64

1 Like

I will say that I have Nginx installed from the official Nginx repository for Debian. When I ran the nginx -V command as recommended in the article, I got the following output:

nginx -V
nginx version: nginx/1.18.0
built by gcc 8.3.0 (Debian 8.3.0-6) 
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.18.0/debian/debuild-base/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

I see nothing about it being compiled with IPv6 support, so I hope that that doesn't hinder my ability to actually use IPv6 with my current build of Nginx because I'd rather continue using the repositories from the Nginx project itself (nginx: Linux packages).

1 Like

Now it's possible to check your ipv6 in combination with your domain name - see[2600%3A3c02%3A%3Af03c%3A92ff%3Afe78%3A2587]&

Ipv6 + Hostname.


Domainname Http-Status redirect Sec. G
• http://2600:3c02::f03c:92ff:fe78:2587/ 2600:3c02::f03c:92ff:fe78:2587 301
Html is minified: 109,46 % 0.260 A
• https://2600:3c02::f03c:92ff:fe78:2587/ 2600:3c02::f03c:92ff:fe78:2587 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 403 Html is minified: 110,61 % 4.817 M-
small visible content (num chars: 19)
403 Forbidden nginx Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 403 Html is minified: 110,61 % 4.440 M-
small visible content (num chars: 19)
403 Forbidden nginx
• http://2600:3c02::f03c:92ff:fe78:2587/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2600:3c02::f03c:92ff:fe78:2587 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 301
Html is minified: 109,46 % 0.250 A
Visible Content: 301 Moved Permanently nginx Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 110,61 % 4.436 A-
Not Found
Visible Content: 404 Not Found nginx

So there answers a nginx if the connection uses ipv6, that's good.

But there is a redirect http -> https. So if you use webroot, you have to use the https webroot.

Compare it with my own (working ipv6 + Letsencrypt) domain -[2a01%3A238%3A301b%3A%3A1226]&

So using ipv6 should work. If it doesn't work, the exact Letsencrypt error is required.


I feel dumb, the problem was solved - seemingly before I ever made this post, I guess I was just too impatient to give things time to propogate.


And I think you're looking at some old forum posts if you see something saying there's a recent change; Let's Encrypt has been supporting IPv6 since 2016.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.