Seperate Machines IPv4 and IPv6 with one Domain (Proxie an Server on different machines)

elearningdienst · July 10, 2021, 6:27am

My domain is:

With a NGINX Proxy on the A Record (IPv4, seperate machine) (I just have one IPv4 for different services)

And the Server (AAAA Record, IPv6, different virtual machine)

I ran this command:

sudo /usr/bin/letsencrypt renew --dry-run (on the Proxy)

It produced this output:

ZIPPPP

Processing /etc/letsencrypt/renewal/cloud.elearningdienst.de.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.elearningdienst.de
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Challenge failed for domain cloud.elearningdienst.de
http-01 challenge for cloud.elearningdienst.de
Cleaning up challenges
Attempting to renew cert (cloud.elearningdienst.de) from /etc/letsencrypt/renewal/cloud.elearningdienst.de.conf produced an unexpected error: Some challenges have failed.. Skipping.

ZIPPPP

The following certs could not be renewed:
/etc/letsencrypt/live/cloud.elearningdienst.de/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: cloud.elearningdienst.de
Type: unauthorized
Detail: Invalid response from
Nextcloud
[2a00:6020:15ca:5300:68f3:b0ff:fe63:7632]: "\n<html
class="ng-csp" data-placeholder-focus="false" lang="de"
data-locale="de_DE" >\n\t<head\n data-requesttoken="b"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

The AAAA Record is correct, but shows on the VM, because only the IPv4 is proxied through the nginx.

My web server is (include version):

nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

UBUNTU 20.04

My hosting provider, if applicable, is:

Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.40.0

My Question: How can I make my setting work? I found that ticket in GitHub Support separate IPv4 and IPv6 servers · Issue #3847 · letsencrypt/boulder · GitHub but it is closed. So I think I'm not the only one with that specific problem/ issue.

rg305 · July 10, 2021, 4:55pm

If you are going to use a cert for a single name on two separate systems, you will have to understand some things...
Given:

LE prefers IPv6 when present, So all the challenge requests will go to the IPv6 system.
IPv4 and IPv6 systems don't natively speak with each other directly; copying files securely between them over the Internet is complicated.
Using DNS authentication can remove the source IP from the equation - but not all DSPs offer APIs for DNS updating.

So I have some questions and some possible pointers.

Q#1 How/Why do you serve the same site from two separate systems?
Q#2 How do you synchronize their content?

P#1 Stick to the K.I.S.S. principle.
P#2 Ensure all steps are automated.
P#3 Take advantage of any related known working solutions.
P#4 Feel free to ask questions.

elearningdienst · July 10, 2021, 9:11pm

Q#1 How/Why do you serve the same site from two separate systems?

I serve it just once. I have only one IPv4 ant that one is on the nginx proxy. The "main" system is IPv6 only.

Q#2 How do you synchronize their content?

I don't need to, cause it is a proxy.

P#1 Stick to the K.I.S.S. principle.

Sure, because of that I use a proxy

P#2 Ensure all steps are automated.

Well, that's my problem. On both machines there is a certbot installed. With the same user ID. But it always uses the IPv6. What I need is the same certificate on the proxy and the content-machine

P#3 Take advantage of any related known working solutions.

I'll try the DNS Challenge. ~~I think my provider will support that, but I don't know how that will work~~

P#4 Feel free to ask questions.

Thats why I'm here. I can't imagine that I will be the only one with a proxy in front of a VM who is using letsencrypt.

rg305 · July 10, 2021, 9:46pm

hmm...
Can the proxy also do IPv6?

But you may be one of few who bypass the IPv4 path with an IPv6 path.
In other words, the proxy isn't completely in front of the VM (only via IPv4).

schoen · July 10, 2021, 9:51pm

Is it a TCP-layer or HTTP-layer proxy? In the latter case there is a problem if you don't have the certificate and key also present on the proxy, because it can't complete the TLS negotiation with the client without them.

rg305 · July 10, 2021, 9:58pm

It would seem to be the latter.

But what is really needed is to put the entire VM (IPv4 & IPv6) behind the proxy.
[even if two ISPs are being used, one can still route IPv4 on eth0 and IPv6 on eth1]

elearningdienst · July 25, 2021, 12:35pm

I finally put the ipv4 and the ipv6 interface behind the proxy. Now everything is fine.

system · August 24, 2021, 12:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.