How to get a certificate for IPv4 AND IPv6

#1

My domain is: git.sdxlive.com which is dual-stacked & accessible at:

  • 90.127.230.116
  • 2a01:cb00:745:c100:ba70:f4ff:fea8:f25c

I ran this command: https://[2a01:cb00:745:c100:ba70:f4ff:fea8:f25c]/

It produced this output: Your connection is not private

My web server is (include version): nginx 1.15.8

The operating system my web server runs on is (include version): Ubuntu 19.04 disco

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): ansible 2.7.7 acme_certificate module

The web server is only correctly accessible:

but not over IPv6 at https://git.sdxlive.com.

#2

Hi @jean-christophe-manc

it is not possible to change that. You have a certificate with domain names. But that doesn’t work with your ip address.

So if you use your ip address (ipv4 or ipv6), it’s always not secure, the certificate is always invalide.

But I can’t confirm your list.

Instead ( https://check-your-website.server-daten.de/?q=git.sdxlive.com ):

Domainname Http-Status redirect Sec. G
http://git.sdxlive.com/
90.127.230.116 301 https://git.sdxlive.com/ 0.076 A
http://git.sdxlive.com/
2a01:cb00:745:c100:ba70:f4ff:fea8:f25c -14 10.066 T
Timeout - The operation has timed out
https://git.sdxlive.com/
90.127.230.116 -10 0.080 P
SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.
https://git.sdxlive.com/
2a01:cb00:745:c100:ba70:f4ff:fea8:f25c -14 10.027 T
Timeout - The operation has timed out

So ipv6 doesn’t work, not http, not https.

Looks like your webserver doesn’t answer if the request uses ipv6. Is a vHost with

listen [::]:80: 

configured? (same with port 443)

1 Like
#3

I have restricted on purpose the protocol to TLS 1.3 which may be an issue for https://check-your-website.server-daten.de if their system does not support that latest version.

I get different results with https://www.ssllabs.com/ssltest/analyze.html?d=git.sdxlive.com&s=90.127.230.116 where https is plainly supported over IPv4.

Regarding IPv6, nginx is configured to support it for both http & https:
listen [::]:80 deferred; # redirected
listen [::]:443 ssl http2 default_server deferred;

IIUC, the certificate I received from let’s encrypt is supposed to support both IPv4 & IPv6, right?

#4

Yes, certificates aren’t restricted in that way.

I see a problem, maybe with the firewall:

curl -Iki6 http://git.sdxlive.com/
curl: (7) Failed to connect to git.sdxlive.com port 80: No route to host

curl -Iki6 https://git.sdxlive.com/
curl: (7) Failed to connect to git.sdxlive.com port 443: No route to host

#5

That’s bad. My tool doesn’t support Tls.1.3. Tls.1.2 is the standard, so you should allow Tls.1.2 connections.

But this isn’t the problem.

Ipv6 has timeouts. So your server doesn’t answer.

It’s not relevant if the connection is via ipv4 or ipv6. The certificate is the same.

PS: And Ssllabs shows the same ipv6 timeout.

#6

I have enabled TLS 1.2.
Could you try again?
Regarding IPv6, AFAIK, the firewall does not filter 80/443 ports but I will ask my provider.

#7

The tool is online. You can use it.

I’ve created it because of the questions in this forum. To make it easier to check such configurations with different ip addresses etc. So I don’t have to use a lot of different tools (dns-tools, browser etc).

#8

PS: It’s the same - ipv4 works now complete, ipv6 has timeouts.

Domainname Http-Status redirect Sec. G
http://git.sdxlive.com/
90.127.230.116 301 https://git.sdxlive.com/ 0.077 A
http://git.sdxlive.com/
2a01:cb00:745:c100:ba70:f4ff:fea8:f25c -14 10.027 T
Timeout - The operation has timed out
https://git.sdxlive.com/
90.127.230.116 200 5.487 A
https://git.sdxlive.com/
2a01:cb00:745:c100:ba70:f4ff:fea8:f25c -14 10.026 T
Timeout - The operation has timed out

Perhaps share your config file.

PS: Using http://www.ipv6now.com.au/pingme.php to check:

— 2a01:cb00:745:c100:ba70:f4ff:fea8:f25c ping statistics —
5 packets transmitted, 0 received, 100% packet loss, time 4049ms

Is this a home server?

#9

This issue has been solved: it was a IPv6 firewall issue indeed.
Now, the server is accessible on both IPv4 & IPv6:


Thanks for your help.

2 Likes
#10

Not complete, only https:

Domainname Http-Status redirect Sec. G
http://git.sdxlive.com/
90.127.230.116 301 https://git.sdxlive.com/ 0.077 A
http://git.sdxlive.com/
2a01:cb00:745:c100:ba70:f4ff:fea8:f25c -14 10.027 T
Timeout - The operation has timed out
https://git.sdxlive.com/
90.127.230.116 200 5.344 A
https://git.sdxlive.com/
2a01:cb00:745:c100:ba70:f4ff:fea8:f25c 200 5.327 A

ipv6 + http has a timeout, SSLLabs doesn’t check that.

The best solution is to allow all and add redirects http -> https.

1 Like
closed #11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.