Suddenly cert problem

#7

Aha, that’s what I suspected was happening.

I think this is a port forwarding problem. Your port 80 and port 443 forwarding is applying for IPv4, but not IPv6. (That, or NAT loopback only works for IPv4).

I’m not sure on the exact steps to fix it though, it’s going to depend on your router’s administration interface. Is there a way to forward the ports for IPv6 as well?

If you aren’t able to work it out, you could also consider just removing the AAAA/IPv6 address from your domain name, which will cause your browser to always connect via IPv4, and show the right website.

#8

What concerns the port forwarding: In my router, port 443 is both active for IPv4 and IPv6. So this should work correctly.

What is really strange is that yesterday, all worked correctly - and this morning, I got the problem. I did not make any changes on the router nor the 2 systems here from which I try to connect in my LAN. Can somebody think of any possible cause? I really wonder…

From outside (=internet), it seems that I do not have the problem.

#9

From the internet, your IPv6 port does not respond at all, so the wrong certificate never has a chance to be sent. v4 fallback saves the day.

All signs point to v6 port forwarding not working. No idea why that would randomly break, though.

#10

Hmmm… I restarted the router and now it seems to work.
Can you please counter-check if you get a reply from v6?

What concerns the possible cause: My provider seemed to made an update of the router last night. But if that would have been the cause, this would mean that it shouldn´t work after the reboot as well. I am really kind of insecure in terms of what happens here.

#11

I still can’t connect on IPv6, same as when you originally posted the thread. Your router rejects the connection with ICMP Destination Unreachable (Host administratively prohibited).

In my country, all the customer premises equipment has awful support for IPv6 that breaks all the time, I’m not too surprised if the issues seem “random” :laughing: :disappointed:.

Does the curl -6 at least work for you now?

#12

No, it´s even getting worse:

$ curl -X GET -I -vv -6 https://khymon.homelinux.net

I have to admin that I am not that deep in IPv6 configuration.
Let me ask a question to better understand: May it be that the server behind the router is not configured for IPv6? In other words: Perhaps the port forwarding itself is working, but the server behind does not reply to IPv6 requests? Is there a way to check easily if the forwarding itself works (eg temporarily start any service on the server to check this?)

#13

Well, you can test that theory by trying a curl request from the web server itself:

curl -X GET -I -6 --connect-to khymon.homelinux.net:443:localhost:443 https://khymon.homelinux.net

I don’t think that’s the case though, because we sort of disproved it earlier when you connected to the IP and it showed you the router login screen.

This may have just been a temporary side effect of restarting your router. It should be fine now (when your DNS updates anyway).

#14

gives as output:

# curl -X GET -I -6 --connect-to khymon.homelinux.net:443:localhost:443 https://khymon.homelinux.net
HTTP/1.1 200 OK
Date: Tue, 03 Dec 2019 11:25:29 GMT
Server: Apache/2.4.25 (Debian)
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept-Encoding
Content-Length: 1361
Content-Type: text/html;charset=UTF-8

Generally, the router says:

Internet, IPv6||verbunden seit 03.12.2019, 11:26 Uhr,
IPv6-Adresse: 2a02:810d::8b:75d8:c055:252f:b333, Gültigkeit: 4370/1670s,
IPv6-Präfix: 2a02:810d:45c0:4d7c::/62, Gültigkeit: 4370/1670s|

Concerning my address, this shouldn´t be any problem as well, as the router says:

[DynDNS](http://<router-dyndns-url>) aktiviert, khymon.homelinux.net, IPv4-Status: erfolgreich angemeldet, IPv6-Status: erfolgreich angemeldet

“erfolgreich angemeldet” means “succesfully connected”.
The port forwarding for IPv6 is (as I mentioned earlier) active.

So, if I got that correctly, the router is still somehow intercepting the IPv6 connection?!? I am already searching in google for any known problems here, but I didn´t find anything helpful up to now.

#15

Yes.

Do you know if it is somehow possible to change the IPv6 ports that the router administration interface listens on. For example, to change it from 80 and 443 to 8080 and 8443?

This might “free up” those ports to be available for port forwarding.

Just blind guesses at this point - depends on your router.

Which shows that your web server can handle IPv6 just fine - it’s just never getting the connection from the router.

#16

Slowly, it´s getting very interesting. Today, I booted my PC and tried to access once again. This time, Firefox gave me the following error:

SEC_ERROR_INADEQUATE_KEY_USAGE

Yesterday evening, all worked fine. In the logs of the router, nothing changed. Also, although I ran an update of my linux (Fedora via dnf update), I guess on the client side, nothing changed as well.
I slowly getting the impression that something really strange is happening here…

EDIT: I rebooted my router once again and now, it´s working again. What I can try to do: Switch off the “MyFritz” service on the router, which gives accesibility to certain services of the router via internet.

EDIT2: I noticed something: Before the reboot of the router, I made a ping (from inside my LAN) which showed the following:

$ ping khymon.homelinux.net
PING khymon.homelinux.net(2a02:810d:0:8b:75d8:c055:252f:b333 (2a02:810d:0:8b:75d8:c055:252f:b333)) 56 data bytes
64 bytes from 2a02:810d:0:8b:75d8:c055:252f:b333 (2a02:810d:0:8b:75d8:c055:252f:b333): icmp_seq=1 ttl=64 time=0.394 ms

After the reboot of the router:

$ ping khymon.homelinux.net
PING khymon.homelinux.net (178.27.10.70) 56(84) bytes of data.
64 bytes from ipb21b0a46.dynamic.kabel-deutschland.de (178.27.10.70): icmp_seq=1 ttl=63 time=0.370 ms

On the router, I configured the dyndns to be active. May it be possible that the router is first forwarding via IPv4 which works fine - and after some time, it switched to IPv6 which doesn´t get forwarded?

Strange though… Any thoughts on this?

#17

Well, it’s your desktop computer that chooses whether to use IPv4 or IPv6. Your router doesn’t really get a say. In theory, software is supposed to prefer IPv6, if it’s available at all.

Right now, your domain does not have an IPv6/AAAA record at all. Perhaps you changed something in your DynDNS?

The issue should be absent at the moment, since your domain only resolves via IPv4 (for now).

#18

No, nothing. If I look into the settings right now, IPv6 address (optional) is 2a02:810d::8b:75d8:c055:252f:b333. This seems to be correct, if I´m right.

Now, I just tried - and the ping switched back to IPv6 which means that it is not working at the moment.

#19

If this is the ipv6 of your router, that may be wrong. Normally, every ipv6 device has it’s own address, so no port forwarding is required.

#20

Hm, okay, just let me get into this. When I login into my DynDNS accounts and go on the config site of my host (khymon…), there are two fields: one for “IP Address” (which is the IPv4) and one “IPv6 Address (optional)” - and there is the word “optional” in it. Though, there was always written something in it.

I deleted the entry in the IPv6 field - and now, the ping went back to the IPv4, as far as I can judge.
So I have to admin that I am a very noob in IPv6, because I don´t get it: If there is no IPv6 address in my DynDNS configuration, then how can my domain “khymon.homelinux.net” be translated in any IPv6? I guess there is something missing in my big picture about this.

Generally speaking: Now, I am back on IPv4 and it works. But I remember that it was so kind of discussion with my internet provider to give me an IPv4 address. If this reoccurs: How the heck should I then go on?

If anybody has a short explanation and/or a link with an easy start of IPv6, I would really appreciate this. All things about IPv6 I found so far were quite technical - and I guess I need some basic introduction.

#21

For IPv6, every device on your network has a globally unique address. To enable it on your server, you should make sure apache is bound to :: then open access from 80 and 443 through your firewall on the server and the firewall on your router

#22

I got that every device has an unique global address. And with your explanation, I think I slowly understand the main difference between v4 and v6: v4 has limited addresses and therefor, the dyndns v4 has it´s own address on the router external. For v6, the routers dyndns client connects to the dyndns server - and the forwarding is done idependently for each device behind the router. That’s how my brain explains the situation.

The only missing thing is: Both my dyndns and my router do support both v4 and v6. As an earlier answer was that I client connecting to my net is deciding which version to take. Is there an easy answer on which basis this decision is taken? I may think of the possibilities of the client/device. As far as I know, mobile devices still rely on v4, so this will still be here for quite some years.

Anyhow, it would be nice if anyone could fill the holes in my brain concerning the subject.
Beside: I thank everyone to help me in understanding this. I really appreciate your help.

#23

Hi @Khymick,

The behavior of every client is somewhat different. Some web browsers use a fallback mechanism

where they are willing to fall back to IPv4 if IPv6 appears not to work. The fallback behavior may depend on the layer at which the connection failed.

The Let’s Encrypt CA has its own fallback method, which definitely depends upon the layer at which the connection failed. It starts with IPv6 and will in some cases fall back to IPv4 if the IPv6 connection doesn’t work.

In principle there are also many systems that are IPv6-only or IPv4-only. Also with some models of carrier-grade NAT

the client’s ISP is essentially making this decision for it.

Some tools allow the user to explicitly specify one protocol or the other; for example, a number of Unix command-line networking tools allow specifying -4 for IPv4-only and -6 for IPv6-only (e.g. curl -4 or ssh -6). The default behavior of these tools may otherwise be “use v6 if advertised (with no fallback to v4); use v4 if v4 isn’t advertised”.

The Happy Eyeballs behavior or something similar to it is the most commonly implemented behavior for desktop web browsers that know that they are on a dual-stack network.

1 Like
#24

@schoen: Thanks a lot for your reply. It help a lot to understand a little bit more.

What I did is to delete the entry in the “IPv6 (optional)” field of my dyndns (see screenshot). Now, I cannot ping my address with “ping -6 khymon.homelinux.net” anymore. But what is the correct way to get an IPv6/AAAA record for this? Shouldn´t this be automatically done by the dyndns service?

47
Bildschirmfoto 2019-12-05 um 08.12.47.png1188×404 21.1 KB

#25

Sure, it should be automatic.

If @JuergenAuer and @ski192man are right about there not being any IPv6 NAT (port forwarding) in your scenario, then it would be more correct to keep the IPv6 DynDNS disabled for your domain - since you don’t want it pointing it to your router’s IPv6 address.

Instead, you would configure your Linux server to automatically acquire a global IPv6 address via your ISP, and then you would set the AAAA record for your domain to that address.

That would leave you with a functional IPv6 setup for your webserver, I think.

#26

I don’t know if it is possible to use a home ipv6 with a webserver.

I use outgoing ipv6. But incoming ipv6 -> only with servers in a data center, so the ipv6 address is fixed.

There are some incoming ipv6 systems with a FritzBox and something like a DynDNS randomname.myfritz.net and a special port.

Then acts a FritzBox DNS server as DynDNS and is able to change the ipv6 address if the ISP sends a new address (happens sometimes).

But your DynDNS doesn’t know something about your router.