Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My web server is (include version):
Server version: Apache/2.4.25 (Debian)
Server built: 2019-08-19T19:25:31
The operating system my web server runs on is (include version): Debian GNU/Linux 9
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0
Problem description:
Today, all of a sudden, I cannot access my server anymore due to cert issues. My cert is still valid. What I get in Firefox is: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT.
Strange enough, because I am not aware of any changes on the web server.
Thanks for your reply.
It seems that the problem is only coming from inside my home network. I can reproduce the problem on 2 machines with 2 different OS.
I never had something like this. Can you please tell me where I can start looking for the cause? I am not at all sure where to start…
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I think this is a port forwarding problem. Your port 80 and port 443 forwarding is applying for IPv4, but not IPv6. (That, or NAT loopback only works for IPv4).
I’m not sure on the exact steps to fix it though, it’s going to depend on your router’s administration interface. Is there a way to forward the ports for IPv6 as well?
If you aren’t able to work it out, you could also consider just removing the AAAA/IPv6 address from your domain name, which will cause your browser to always connect via IPv4, and show the right website.
What concerns the port forwarding: In my router, port 443 is both active for IPv4 and IPv6. So this should work correctly.
What is really strange is that yesterday, all worked correctly - and this morning, I got the problem. I did not make any changes on the router nor the 2 systems here from which I try to connect in my LAN. Can somebody think of any possible cause? I really wonder…
From outside (=internet), it seems that I do not have the problem.
Hmmm… I restarted the router and now it seems to work.
Can you please counter-check if you get a reply from v6?
What concerns the possible cause: My provider seemed to made an update of the router last night. But if that would have been the cause, this would mean that it shouldn´t work after the reboot as well. I am really kind of insecure in terms of what happens here.
I still can’t connect on IPv6, same as when you originally posted the thread. Your router rejects the connection with ICMP Destination Unreachable (Host administratively prohibited).
In my country, all the customer premises equipment has awful support for IPv6 that breaks all the time, I’m not too surprised if the issues seem “random” .
I have to admin that I am not that deep in IPv6 configuration.
Let me ask a question to better understand: May it be that the server behind the router is not configured for IPv6? In other words: Perhaps the port forwarding itself is working, but the server behind does not reply to IPv6 requests? Is there a way to check easily if the forwarding itself works (eg temporarily start any service on the server to check this?)
"erfolgreich angemeldet" means "succesfully connected".
The port forwarding for IPv6 is (as I mentioned earlier) active.
So, if I got that correctly, the router is still somehow intercepting the IPv6 connection?!? I am already searching in google for any known problems here, but I didn´t find anything helpful up to now.
Do you know if it is somehow possible to change the IPv6 ports that the router administration interface listens on. For example, to change it from 80 and 443 to 8080 and 8443?
This might "free up" those ports to be available for port forwarding.
Just blind guesses at this point - depends on your router.
Which shows that your web server can handle IPv6 just fine - it's just never getting the connection from the router.
Slowly, it´s getting very interesting. Today, I booted my PC and tried to access once again. This time, Firefox gave me the following error:
SEC_ERROR_INADEQUATE_KEY_USAGE
Yesterday evening, all worked fine. In the logs of the router, nothing changed. Also, although I ran an update of my linux (Fedora via dnf update), I guess on the client side, nothing changed as well.
I slowly getting the impression that something really strange is happening here…
EDIT: I rebooted my router once again and now, it´s working again. What I can try to do: Switch off the “MyFritz” service on the router, which gives accesibility to certain services of the router via internet.
EDIT2: I noticed something: Before the reboot of the router, I made a ping (from inside my LAN) which showed the following:
$ ping khymon.homelinux.net
PING khymon.homelinux.net(2a02:810d:0:8b:75d8:c055:252f:b333 (2a02:810d:0:8b:75d8:c055:252f:b333)) 56 data bytes
64 bytes from 2a02:810d:0:8b:75d8:c055:252f:b333 (2a02:810d:0:8b:75d8:c055:252f:b333): icmp_seq=1 ttl=64 time=0.394 ms
After the reboot of the router:
$ ping khymon.homelinux.net
PING khymon.homelinux.net (178.27.10.70) 56(84) bytes of data.
64 bytes from ipb21b0a46.dynamic.kabel-deutschland.de (178.27.10.70): icmp_seq=1 ttl=63 time=0.370 ms
On the router, I configured the dyndns to be active. May it be possible that the router is first forwarding via IPv4 which works fine - and after some time, it switched to IPv6 which doesn´t get forwarded?
Well, it's your desktop computer that chooses whether to use IPv4 or IPv6. Your router doesn't really get a say. In theory, software is supposed to prefer IPv6, if it's available at all.
Right now, your domain does not have an IPv6/AAAA record at all. Perhaps you changed something in your DynDNS?
The issue should be absent at the moment, since your domain only resolves via IPv4 (for now).
No, nothing. If I look into the settings right now, IPv6 address (optional) is 2a02:810d::8b:75d8:c055:252f:b333. This seems to be correct, if I´m right.
Now, I just tried - and the ping switched back to IPv6 which means that it is not working at the moment.
Hm, okay, just let me get into this. When I login into my DynDNS accounts and go on the config site of my host (khymon…), there are two fields: one for “IP Address” (which is the IPv4) and one “IPv6 Address (optional)” - and there is the word “optional” in it. Though, there was always written something in it.
I deleted the entry in the IPv6 field - and now, the ping went back to the IPv4, as far as I can judge.
So I have to admin that I am a very noob in IPv6, because I don´t get it: If there is no IPv6 address in my DynDNS configuration, then how can my domain “khymon.homelinux.net” be translated in any IPv6? I guess there is something missing in my big picture about this.
Generally speaking: Now, I am back on IPv4 and it works. But I remember that it was so kind of discussion with my internet provider to give me an IPv4 address. If this reoccurs: How the heck should I then go on?
If anybody has a short explanation and/or a link with an easy start of IPv6, I would really appreciate this. All things about IPv6 I found so far were quite technical - and I guess I need some basic introduction.