IPv6 connection issue


#1

I was trying to generate a cert for admlabo.sxpert.org (among other domains), and it wouldn’t connect over IPv6

using curl -v to test the connection to the API server, it would block at the ALPN part

I was able to obtain a cert by setting the server’s name and ipv4 in /etc/hosts

here’s the result of the mtr command :

mtr --report -w --as acme-v01.api.letsencrypt.org
Start: Fri May 5 11:42:24 2017
HOST: cheetah Loss% Snt Last Avg Best Wrst StDev

  1. AS50620 cerbere.sxpert.org 0.0% 10 0.4 0.4 0.3 0.4 0.0
  2. AS50620 crs3-gre.as50620.net 0.0% 10 9.0 10.3 8.8 19.9 3.4
  3. AS??? 10gigabitethernet-2-2.par2.he.net 0.0% 10 9.6 12.4 8.9 30.3 6.6
  4. AS??? 100ge5-2.core1.fra1.he.net 0.0% 10 21.0 24.2 18.2 36.7 5.6
  5. AS??? ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
  6. AS5511 et3-0-1-0.pastr3.Pastourelle.opentransit.net 0.0% 10 26.9 24.1 19.4 48.5 8.9
  7. AS5511 akamai.GW.opentransit.net 0.0% 10 19.7 32.2 19.7 115.2 30.2
  8. AS20940 2a02:26f0:108:189::3d5 0.0% 10 19.7 20.2 19.6 21.6 0.3

mtr -4 --report -w --as acme-v01.api.letsencrypt.org
Start: Fri May 5 11:42:57 2017
HOST: cheetah Loss% Snt Last Avg Best Wrst StDev

  1. AS50620 cerbere.sxpert.org 0.0% 10 0.4 0.3 0.3 0.4 0.0
  2. AS50620 crs3-gre.as50620.net 0.0% 10 9.4 9.2 8.6 10.9 0.6
  3. AS??? akamai.par.franceix.net 0.0% 10 11.5 12.1 10.0 17.0 2.7
  4. AS20940 a23-38-4-37.deploy.static.akamaitechnologies.com 0.0% 10 9.0 9.9 9.0 12.4 0.8

#2

Can you be more specific about ‘wouldn’t connect’? Is it timing out?

If you’d try the following command and past the output it could be helpful:
curl -vv -H "Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace" https://acme-v01.api.letsencrypt.org/directory


#3

this seems to be a heisenbug…
it was blocking on the ALPN bit, then timeouting
tonight, some routing has changed and it works…

mtr -6 --report -w --as acme-v01.api.letsencrypt.org
Start: Fri May 5 21:18:55 2017
HOST: cheetah Loss% Snt Last Avg Best Wrst StDev

  1. AS50620 cerbere.sxpert.org 0.0% 10 0.3 0.8 0.3 4.6 1.3
  2. AS50620 crs3-gre.as50620.net 0.0% 10 9.2 10.5 8.8 19.7 3.4
  3. AS??? 10gigabitethernet-2-2.par2.he.net 0.0% 10 24.4 25.6 11.7 33.6 6.7
  4. AS??? akamai.par.franceix.net 0.0% 10 10.7 12.8 10.5 15.9 2.0
  5. AS20940 2a02:26f0:2d:180::3d5 0.0% 10 11.1 10.8 9.2 16.0 2.1

as for your command, I get :
stdout :
{
“key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,
“new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,
“new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,
“new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,
“revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert
}

stderr:

  • Trying 2a02:26f0:2d:180::3d5…
  • Connected to acme-v01.api.letsencrypt.org (2a02:26f0:2d:180::3d5) port 443 (#0)
  • found 173 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 694 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
  • server certificate verification OK
  • server certificate status verification SKIPPED
  • common name: *.api.letsencrypt.org (matched)
  • server certificate expiration date OK
  • server certificate activation date OK
  • certificate public key: RSA
  • certificate version: #3
  • subject: CN=*.api.letsencrypt.org,O=INTERNET SECURITY RESEARCH GROUP,L=Mountain View,ST=California,C=US
  • start date: Fri, 26 Jun 2015 17:05:45 GMT
  • expire date: Mon, 25 Jun 2018 17:05:45 GMT
  • issuer: C=US,O=IdenTrust,OU=TrustID Server,CN=TrustID Server CA A52
  • compression: NULL
  • ALPN, server accepted to use http/1.1

GET /directory HTTP/1.1
Host: acme-v01.api.letsencrypt.org
User-Agent: curl/7.47.0
Accept: /
Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace

< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/json
< Content-Length: 352
< Boulder-Request-Id: lg8Skx3XcpkfIWvbEoFT9dyr2D0CTvXbVXdjIkEiqV4
< Replay-Nonce: mi_-p4v3n6NucEUksI4TdMgp9SzF6MZ8SWCkLKARRhs
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< X-Akamai-SSL-Client-Sid: sPqRf12lF3neGgT2h7HDDA==
< X-Check-Cacheable: NO
< X-Akamai-Request-ID: 863129f2.f9382e
< Expires: Fri, 05 May 2017 19:15:52 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 05 May 2017 19:15:52 GMT
< X-Cache: TCP_MISS from a88-221-15-117.deploy.akamaitechnologies.com (AkamaiGHost/8.3.2.1-19774280) (-)
< X-Cache-Key: S/D/981/432721/000/origin-2pvah7paghah4iu6P.api.letsencrypt.org/directory
< X-True-Cache-Key: /D/000/origin-2pvah7paghah4iu6P.api.letsencrypt.org/directory
< X-Akamai-Session-Info: name=AKA_PM_BASEDIR; value=
< X-Akamai-Session-Info: name=AKA_PM_CACHEABLE_OBJECT; value=false
< X-Akamai-Session-Info: name=AKA_PM_FWD_URL; value=/directory
< X-Akamai-Session-Info: name=AKA_PM_NETSTORAGE_ROOT; value=
< X-Akamai-Session-Info: name=AKA_PM_PREFETCH_ON; value=true
< X-Akamai-Session-Info: name=AKA_PM_RUM_ENABLED; value=off
< X-Akamai-Session-Info: name=AKA_PM_SR_ENABLED; value=false
< X-Akamai-Session-Info: name=AKA_PM_TD_ENABLED; value=false
< X-Akamai-Session-Info: name=AKA_PM_TD_MAP_PREFIX; value=ch2
< X-Akamai-Session-Info: name=DO_EDGECONNECT_PUBLISH; value=on
< X-Akamai-Session-Info: name=EDGECONNECT_API_CONNECTOR; value=default
< X-Akamai-Session-Info: name=EDGECONNECT_API_CONNECTOR_VERSION; value=1.0
< X-Akamai-Session-Info: name=EDGECONNECT_API_DATA_ELEMENTS; value=http apm
< X-Akamai-Session-Info: name=EDGECONNECT_API_NAME; value=cloud_monitor
< X-Akamai-Session-Info: name=EDGECONNECT_API_NAME_VERSION; value=1.0
< X-Akamai-Session-Info: name=EDGECONNECT_ENDPOINT_HOST; value=cloudmonitor.api.letsencrypt.org
< X-Akamai-Session-Info: name=EDGECONNECT_ENDPOINT_PATH; value=/receiver/v1/http/ZaVnC4dhaV1FQs4AeJxkB6TaDy92omft1AEQ5kAU3Onzqux1BnhJYWCMUghmxXexDPV_Ku8J2g__CZxm3OLV-AKiqAcFqNHHiTGbhdATQZYL8QbaYZMYdQ==
< X-Akamai-Session-Info: name=EDGECONNECT_ENDPOINT_TYPE; value=custom_origin
< X-Akamai-Session-Info: name=EDGECONNECT_EVENT_SCOPE; value=all
< X-Akamai-Session-Info: name=EDGECONNECT_RULE_ID; value=1
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_API_NAME_VERSION; value=1.0
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_CACHE_STATUS; value=0
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_DATA_APM; value=on
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_DATA_GEO; value=on
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_DATA_HTTP; value=on
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_DATA_NETWORK; value=off
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_DATA_REQHEADER; value=on
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_DATA_RESPHEADER; value=on
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_DATA_SEC_APPV2; value=off
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_DATA_SEC_RATE_DENYV2; value=off
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_DATA_SEC_RATE_WARNV2; value=off
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_DATA_WAFV2; value=off
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_END_CLIENT_REQUEST; value=on
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_MIDMILE_LATENCY; value=45
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_MIDMILE_RTT; value=37; full_location_id=X-EdgeConnect-MidMile-RTT
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_NETORIGIN_LATENCY; value=155; full_location_id=X-EdgeConnect-Origin-MEX-Latency
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_SRV_ERROR; value=0
< X-Akamai-Session-Info: name=ENT_EDGECONNECT_TIME_HEX; value=590ccf68
< X-Akamai-Session-Info: name=FASTTCP_RENO_FALLBACK_DISABLE_OPTOUT; value=on
< X-Akamai-Session-Info: name=HEADER_NAMES; value=Host%3aUser-Agent%3aAccept%3aPragma; full_location_id=
< X-Akamai-Session-Info: name=OVERRIDE_HTTPS_IE_CACHE_BUST; value=all
< X-Akamai-Session-Info: name=PMUSER_IP_HASH; value=336
< X-Akamai-Session-Info: name=STRICT_BASELINE_V1ARL_CHECKS; value=<>
< X-Akamai-Session-Info: name=TCP_OPT_APPLIED; value=medium
< X-Serial: 981
< X-Akamai-SSL-Client-Sid: rGPOLePdtfWvGGezEzJCnA==
< Connection: keep-alive
< X-Cache-Remote: TCP_MISS from a2-18-240-87.deploy.akamaitechnologies.com (AkamaiGHost/8.3.2.1-19774280) (-)
<


#4

Glad that it’s working for you now!

If it starts failing again an mtr and the curl with all the Akamai pragma may help us find out what’s going on.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.