No success getting with verifying my domain names


#1

The actual webroot is /var/www/html, owned by www-data. Port forwarding, router to server 80 and 443 is enabled. Public domain is bisskultur.de privat domain is fritz.box.
My routers (fritzbox) ipv6 is switched off. I have no reason for leasing privat ipv6-Adresses.

Resolving FQDN doesn’t make any problems, as you can try.

My domain is: bisskultur.de

I ran this command: sudo certbot

:

My web server is (include version): apache2 2.4.25-3+deb9u3

The operating system my web server runs on is (include version): Debian Stretch Kernel 4.9.0-6-amd64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes - in case of forwarding port 22


#2

If you cannot enable ipv6 for your domain, you must not offer any IPv6 addresses:

$ host bisskultur.de
bisskultur.de has address 217.92.135.180
bisskultur.de has IPv6 address 2003:a:7f:87ad:e228:6dff:feea:dd02

You have to drop the AAAA record.


#3

Hello bytecamp,
it’s not me, setting up public ipv6, but TELEKOM. The public ipv6 can be resolved the same way as the public ipv4 - forwards and backwards. So where is the problem? I just do not need opening the routers door for ipv6. As long as both addresses can be resolved forwards and backwards like it is, certbot should work. And they can, as you can check.
I don’t understand!


#4

You have to, as long as you offer AAAA records for your domain. Let’s Encrypt favors IPv6 over IPv4 if there is an AAAA record.


#5

Furthermore - indeed it seems to be a problem with ipv6. Cause my second domain with the TELEKOM “bisskultur.net” there is not yet ipv6 provided for contract reasons but is working fine since years.
But this problem should be solved by certbot. It is no user problem, as long as both addresses are resolved correctly.
Am I wrong? May be, I guess. Therefore I’m asking for help.
:wink:


#6

AAAHHH…
Hm!
So - opening the routers door for IPV6 can remove the problem? I will try and come back!


#7

Thanks!
I figured out, how to remove the AAAA records and was successful in getting certificates. SSLLabs is giving an A+. However the certificates are not recognized from email software like OSX mail or mozilla thunderbird.

This software is still presenting the old Geotrust certificates.
The same with webmin on port 10000.

As far as I have checked my apache configuration I cannot find a mistake. Although it doesn’t seem to be on topic here - perhaps you can give another useful hint?


#8

You have to configure your mail server software to use the correct certificate. After doing so, you will most likely have to restart the software.


#9

Wow - as quick as easy!
Since I used CitadelGroupwareServer I didn’t have a look at mailserver configuration files. I will do that.
But what about port 10000?


#10

You’d need to do the same with Webmin.


#11

Thanks!
I could supposed to be a greenhorn. :stuck_out_tongue_closed_eyes:
Problem solved.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.