Hey guys, I've noticed that Certbot has transitioned over to using IPv6 for Domain verification. This caused a problem with my certificate renewals as I apparently do not have something configured correctly. I have two domains, https://codedragon.dev and https://linuxdragon.dev. I went ahead and temporarily removed the DNS AAAA records so that I could manually force a certificate renewal over IPv4; but this is only a work around instead of an actual solution. I was wondering if anyone could help me set up Nginx properly to listen on IPv6 connections. Currently I have my serverblocks for each subdomain configured like so:
#HTTPS Port 443 Configuration
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name codedragon.dev www.codedragon.dev;
location / {
root /data/www/codedragon;
index index.html index.htm index.php;
try_files $uri $uri/ =404;
}
location ~/\.ht {
deny all;
}
# SSL Configuration
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
ssl_certificate /etc/letsencrypt/live/codedragon.dev/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/codedragon.dev/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/codedragon.dev/chain.pem;
}
# HTTP Port 80 Configuration
server {
if ($host = www.codedragon.dev) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = codedragon.dev) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name codedragon.dev www.codedragon.dev;
listen 80;
listen [::]:80;
return 404; # managed by Certbot
}
I apologize for the odd formatting, but it seems to be an issue with the forum's implementation of Mardown.
I thought I had it set up properly but apparently I do not. Also, this command reports the following:
I think you misunderstand what I was asking, otherwise you wouldn't insist that a lack of AAAA records is a problem. Certbot has been updated to perform domain validation over IPv6. This caused a problem for me just now when I went to update a certificate. Searching the problem on the internet lead me to this thread initially: Type: unauthorized Detail: Invalid response from - #2 by schoen - which detailed an error very similar to my own initial error. In the thread, someone posted this:
Let’s Encrypt recently changed to preferring validations over IPv6 if a site has an AAAA record. Many people’s sites, it turns out, do have AAAA records but are not properly set up to receive incoming web connections via IPv6.
I then did a little more digging, and found this thread: Certbot, force IPv4?, and I followed your very own advice here.
You can
remove the ipv6 entry
add a redirect ipv6 domain -> other domain (or new subdomain) only with ipv4 on your ipv4 config and use that. Letsencrypt follows such redirects (port 80 or 443)
There I noticed that my Nginx server blocks were almost correct. My HTTPS blocks were set up for IPv6, but my HTTP blocks were not. So I updated them to include the listen [::]:80 directive. That still didn't work even though the netstat command shows that nginx is indeed listening for incoming IPv6 traffic on both HTTP ports.
As for your request for my IPv6 address, here you go: 2600:3c02::f03c:92ff:fe78:2587/64
I will say that I have Nginx installed from the official Nginx repository for Debian. When I ran the nginx -V command as recommended in the article, I got the following output:
I see nothing about it being compiled with IPv6 support, so I hope that that doesn't hinder my ability to actually use IPv6 with my current build of Nginx because I'd rather continue using the repositories from the Nginx project itself (nginx: Linux packages).
And I think you're looking at some old forum posts if you see something saying there's a recent change; Let's Encrypt has been supporting IPv6 since 2016.