IP address from 44/9 or 44.127/10 space and letsencrypt certificates?

sp2l · May 5, 2022, 8:30pm

Greetings.

Is someone on this list using IP address from 44/9 or 44.127/10 space and letsencrypt certificates?

Best regards.
Tom.

9peppe · May 5, 2022, 9:37pm

I'd say yes

sp2l · May 6, 2022, 7:23am

Hello 9Peppe.

Both crt.sh and ardc.net websites are very well known to me.

Last time I successfully updated certificate for my host linux.sp2l.ampr.org
(bound to 44.165.2.2 IP address) was on March 17th 2021.
Tried various approaches to no avail so far.

For daily usage above IP/host is accessible for 44 network exclusively.

Before requesting cartificate update, I change iptables rules
to accept access for verbatim EVERY IP address.

For unknown to me reasons all verification IP addresses fail completion of their routines.

For other two domains bound to my public IP address, but on exactly the same server,
certificate reneval routine finishes successfully.

All suggestions and help will be very much appreciated.

Best regards.
Tom.

9peppe · May 6, 2022, 7:26am

Seeing some kind of log should be helpful.

I mean, you asked about a whole /9 subnet instead of your fqdn, the problem is probably more localized.

Maybe some update has broken your control over iptables, maybe there's another firewall on the network, lots of things are possible.

9peppe · May 6, 2022, 7:47am

% dig aaaa linux.sp2l.ampr.org

; <<>> DiG 9.18.2-1-Debian <<>> aaaa linux.sp2l.ampr.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37568
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;linux.sp2l.ampr.org.           IN      AAAA

;; ANSWER SECTION:
linux.sp2l.ampr.org.    0       IN      AAAA    2001:470:7dac::2

;; Query time: 10 msec
;; SERVER: 172.24.144.1#53(172.24.144.1) (UDP)
;; WHEN: Fri May 06 09:45:57 CEST 2022
;; MSG SIZE  rcvd: 84

You do open your firewall on IPv6, too, do you?

Let's Encrypt will use IPv6 if you have an AAAA record.

sp2l · May 6, 2022, 8:12am

9peppe.

My original question was differrent:
"Is someone on this list using IP address from 44/9 or 44.127/10 space and letsencrypt certificates?"
I didn't asked about whole AMPRNet network.

Do you personally use above address space?

I have my private, small server machine standing 50 centimeters from my desk.
It is Debian 9.13 system. Server is behind my own private router.
Only one firewall (iptables) on server.

Generally I do not use IPv6 address space.
Only single IPv6 address 2001:470:7dac::2 I use for one specific purpose:
dedicated tunnel IPv4 address to IPv6 address via Hurricane Electric features, nothing more.
Frankly speaking I do not need this tunnel anymore,
I keep it up&running for self-education purposes.

Negative, I do not open firewall for IPv6 space, no need.

Log? Why not...
Will create one and make it available on Dropbox, due to it's length.

Tom.

9peppe · May 6, 2022, 8:22am

That's an issue.

If you have an AAAA record, Let's Encrypt will use the address in there ignoring the A record nearly always. The easy way to solve this is to remove the AAAA record.

system · June 5, 2022, 8:23am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.