Web Site: OSMBLE.com
Forced SSL is turned on
Web Site on Windows Server 2012 R2 running IIS 8.5
This Web Server is co-located at Hurricane Electric in Bay Area, Calif.
In Domain's DNS:
A Record: 184.105.108.176
AAAA Record: 2602:fe92:5::106
This is from my hosting client; she had an IT techie look into an issue and his response was:
"When accessing the website with a new hot spot, the page won't load. When using a different connection, it does load. What is interesting here is that when I ping the website from the functional connection, I get an IPv4 ip address returned. When I ping with the new hotspot, I get an IPv6 address returned. This makes me wonder if there is a DNS translation issue or if the server has an IPv6 address that wasn't meant to be enabled possibly."
The hosting client then stated:
"This mirrors my experience. I’m unable to log in/load the site when my phone has a 5G connection, but when I’m connected via wifi, there are no issues. Similarly, the page will not load (read: gives me the ERR_HTTP_RESPONSE_CODE_FAILURE message) when I’m using a hot spot, which I assume is also that 5G data which may access the site differently."
I do not know how to emulate an IP6 Only network to even replicate the issue being reported.
I do not know if this is a LetsEncrypt SSL cert issue, an IIS 8.5 issue, a DNS issue or a Server issue.
PLEASE, ANY Help would be GREATLY Appreciated.
Thanks Ahead
Yes, SSL is forced on this website, so I can see where http: requests would get denied or forbidden. It is the IPv6 to the https address where it says permission denied; I think that is the issue. I searched the return message and saw some results talking about an IPv6 firewall verses IPv4 firewall. When I go into the Windows Server firewall; I am not seeing a "different" windows firewall for IPv4 verses IPv6; is there such a thing?
The IPv4 A Record = Hurricane Electric and IPv6 AAAA Record = Valley Internet Co is Correct. My friend owns Valley Internet and he is the actual leasor of the Hurricane Elec co-lo; I "sub-lease" two of my servers in his cabinet at Hurricane Elec in Fremont, CA.
Neither your IPv4 or address or your IPv6 address appear to be listening on port 80. The HTTP-01 challenge uses plaintext HTTP, it won't attempt to connect over HTTPS unless it receives an HTTP redirect. See Challenge Types - Let's Encrypt
To receive a certificate without running an HTTP server on port 80 you would need to use the DNS-01 challenge or the TLS-SNI-01 challenge. (The latter is still not practical for use with most web server software AFAIK.)
Ben, possibly I have this setup incorrectly, but the site loads correctly for high majority. The IIS bindings are listed for both the IPv4 and IPv6 on port 80 for both osmble.com and wwww.osmble.com (see original post). Within Windows IIS, Force SSL is turned on. I then have in the IIS Errors section for status codes 403.4 403.5 and 403.14 to execute a javascript which redirects to the https address. The file in the root that is executed is: /redirectssl.htm which is the following:
function goElseWhere()
{
var oldURL = window.location.hostname + window.location.pathname;
var newURL = "https://" + oldURL;
window.location = newURL;
}
goElseWhere();
I have been hosting this site for 9+ years with no issues reported until now, but it appears to only be when a client is on a IPv6 Only network, but a lot of this stuff is foreign to me. I am open for any suggestions to try. Thanks for your reponse; any and all are helpful.
Mike, not familiar with curl, but "I think" the Windows CMD translation is PING ??
ping -4 ifconfig.co returns: 172.64.162.15 (4 packets sent and 4 packets received; 0 Lost)
ping -6 ifconfig.co returns: 2606:4700:e4::ac40:a20f (4 packets sent and 0 packets received; Request timed out x 4; 100% loss)
The results for IPCONFIG are too long to put in here, but the IPv6 address of 2602:fe92:5::106 is listed (along with 80+ other IPv6 addresses and the IPv4 address of: 184.105.108.176 is also listed (along with 90+ other IPv4 addresses). Somewhere in previous posts, I had accidentally stated 184.105.180.176 (that was a typo) it is: 184.105.108.176 and it IS listed in the ipconfig results.
FYI: curl is NOT a recognized command from the server.
Thanks. I see now only supported starting Windows Server 2019 (and Windows 10 too)
I couldn't figure out an alternative with invoke-webrequest.
Do you have any machine outside your network to try an IPv6 request to your domain?
Or, try removing the AAAA record from the DNS. Something seems wrong with the IPv6 config or routing. The reason your site works for most people is most still use IPv4.
