Nginx + Ipv6 cannot obtain/renew

Hello guys, I run into infamous nginx + ipv6 problem. On my server I run several virtual hosts on both ipv4 and ipv6. The ipv6 works as expected - but I cannot renew/obtain the certificate as soon as I set AAAA record on the domain, since certbot prefers ipv6.

This is my default_server catch-all host:

server
{
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
include /etc/nginx/snippets/letsencrypt.conf;
}

server
{
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
ssl_certificate /etc/letsencrypt/live/arodax.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/arodax.com/privkey.pem;
include /etc/nginx/snippets/letsencrypt.conf;
}

I have some other hots on my server some are ipv4 only but the other one listens on both:

server
{
listen 80;
listen [::]:80;
server_name upczone.cz www.upczone.cz;
include /etc/nginx/snippets/letsencrypt.conf;
return 301 https://www.upczone.cz$request_uri;
}

server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name upczone.cz;
ssl_certificate /etc/letsencrypt/live/upczone.cz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/upczone.cz/privkey.pem;
include /etc/nginx/snippets/letsencrypt.conf;
return 301 https://www.upczone.cz$request_uri;
}

Thee /etc/nginx/snippets/letsencrypt.conf file contains:

location ~ /.well-known/acme-challenge/ {
access_log /var/log/nginx/acme-challenge/access.log;
try_files $uri =404;
default_type “text/plain”;
root /var/www;
break;
}

This works perfectly when using host which run on ipv4 but as soon as I try to use ipv4+ipv6 host (the above one) i run into the problem. Can anyone help me?

My domain is: upczone.cz

I ran this command: certbot-auto certonly --webroot -w /var/www -d upczone.cz --dry-run

It produced this output:

Domain: upczone.cz
Type: connection
Detail: Fetching
http://upczone.cz/.well-known/acme-challenge/0LkncoOZqC79lXtSsLaOGXfrMxiYqgZcc_vpN4aGxCM:
Error getting validation data

My web server is (include version): nginx/1.14.2

1 Like

Your IPv4 and IPv6 IPs do NOT return the same HTTP content:

curl -Iki4 http://upczone.cz/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 29 Jan 2020 03:02:30 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://www.upczone.cz/
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin

curl -Iki6 http://upczone.cz/
curl: (52) Empty reply from server

2 Likes

Compare with these HTTPS connection replies [which match]:

curl -Iki4 https://upczone.cz/
HTTP/2 301
server: nginx
date: Wed, 29 Jan 2020 03:12:44 GMT
content-type: text/html
content-length: 178
location: https://www.upczone.cz/
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin

curl -Iki6 https://upczone.cz/
HTTP/2 301
server: nginx
date: Wed, 29 Jan 2020 03:14:06 GMT
content-type: text/html
content-length: 178
location: https://www.upczone.cz/
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin

2 Likes

Should be as simple as updating/creating a AAAA record in DNS with the same IP as the A record I believe…

rg305: Thank you for the quick reply! Thought I’m not sure what’s wrong with my Nginx config, as it seems correct to me. The server listens on both ipv4 and ipv6 and redirects everything to https://www.upczone.cz, this configuration works on ipv4 without no problem.

server
{
listen 80;
listen [::]:80;
server_name upczone.cz www.upczone.cz;
include /etc/nginx/snippets/letsencrypt.conf;
return 301 https://www.upczone.cz$request_uri;
}

while https server pass the request further to the upstream:

server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.upczone.cz;
ssl_certificate /etc/letsencrypt/live/upczone.cz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/upczone.cz/privkey.pem;
include /etc/nginx/snippets/proxy_pass_apache2.conf;
}

Could you please explain me little bid more? I’m pretty new to ipv6 … unfortunately.

1 Like

Lub:

dig A +short upczone.cz -> 217.16.185.203
dig AAAA +short upczone.cz -> 2a00:1ed0:110::b

Both IP addresses are routed to the same server and works correctly, the problem seems to be that nginx does not set the correct response for the curl -Iki6 http://upczone.cz/ as rg305 mentioned.

2 Likes

I don’t think it is the nginx conf.
It might be the (firewall) port forwarding.

Maybe I included too much text in my previous messages and the “message” was lost.
Let me shrink it down and try again:

curl -Iki4 http://upczone.cz/ [HTTP via IPv4 = GOOD]
301 Moved Permanently
https://www.upczone.cz/

curl -Iki4 https://upczone.cz/ [HTTPS via IPv4 = GOOD]
301
https://www.upczone.cz/

curl -Iki6 http://upczone.cz/ [HTTP via IPv6 = BAD]
curl: (52) Empty reply from server

curl -Iki6 https://upczone.cz/ [HTTPS via IPv6 = GOOD]
301
https://www.upczone.cz/

Since LE prefers IPv6 and starts with HTTP, you are unable to complete their initial request (http://IPv6)
[which never gets forwards to https and never finds the authentication token to complete your request]

3 Likes

Hi @cur53se

your ipv6 doesn’t work.

Checking your domain - a lot of different colors, too much colors. And a Grade W checking http + ipv6 - https://check-your-website.server-daten.de/?q=upczone.cz

Tracert works, but the ConnectionClosed is critical.