Website won't come up forced SSL on IP6 networks

Web Site: OSMBLE.com
Forced SSL is turned on
Web Site on Windows Server 2012 R2 running IIS 8.5
This Web Server is co-located at Hurricane Electric in Bay Area, Calif.

In Domain's DNS:
A Record: 184.105.108.176
AAAA Record: 2602:fe92:5::106

Current IIS 8.5 Bindings
Type Host Name Port IP Address
http www.osmble.com 80 [2602:fe92:5::106]
http osmble.com 80 [2602:fe92:5::106]
http www.osmble.com 80 184.105.108.176
http osmble.com 80 184.105.108.176
https www.osmble.com 443 *
https osmble.com 443 *

This is from my hosting client; she had an IT techie look into an issue and his response was:
"When accessing the website with a new hot spot, the page won't load. When using a different connection, it does load. What is interesting here is that when I ping the website from the functional connection, I get an IPv4 ip address returned. When I ping with the new hotspot, I get an IPv6 address returned. This makes me wonder if there is a DNS translation issue or if the server has an IPv6 address that wasn't meant to be enabled possibly."

The hosting client then stated:
"This mirrors my experience. I’m unable to log in/load the site when my phone has a 5G connection, but when I’m connected via wifi, there are no issues. Similarly, the page will not load (read: gives me the ERR_HTTP_RESPONSE_CODE_FAILURE message) when I’m using a hot spot, which I assume is also that 5G data which may access the site differently."

I do not know how to emulate an IP6 Only network to even replicate the issue being reported.
I do not know if this is a LetsEncrypt SSL cert issue, an IIS 8.5 issue, a DNS issue or a Server issue.

PLEASE, ANY Help would be GREATLY Appreciated.
Thanks Ahead

1 Like

Hi @platzb, and welcome to the LE community forum :slight_smile:

Via HTTP, the IPv6 connections fail, the IPv4 connections seem to work:

curl -Ii6 http://osmble.com/
curl: (56) Recv failure: Connection reset by peer

curl -Ii4 http://osmble.com/
HTTP/1.1 403 Forbidden
Content-Length: 266
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2022 02:07:34 GMT

Via HTTPS, they seem to work; But give quite different results:

curl -Ii6 https://osmble.com/
curl: (7) Failed to connect to osmble.com port 443: Permission denied

curl -Ii4 https://osmble.com/
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 128
Content-Type: text/html; charset=utf-8
Location: /login.aspx
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2022 02:07:51 GMT
5 Likes

A = Hurricane Electric LLC

AAAA = Valley Internet Company LLC

6 Likes

Yes, SSL is forced on this website, so I can see where http: requests would get denied or forbidden. It is the IPv6 to the https address where it says permission denied; I think that is the issue. I searched the return message and saw some results talking about an IPv6 firewall verses IPv4 firewall. When I go into the Windows Server firewall; I am not seeing a "different" windows firewall for IPv4 verses IPv6; is there such a thing?

The IPv4 A Record = Hurricane Electric and IPv6 AAAA Record = Valley Internet Co is Correct. My friend owns Valley Internet and he is the actual leasor of the Hurricane Elec co-lo; I "sub-lease" two of my servers in his cabinet at Hurricane Elec in Fremont, CA.

Neither your IPv4 or address or your IPv6 address appear to be listening on port 80. The HTTP-01 challenge uses plaintext HTTP, it won't attempt to connect over HTTPS unless it receives an HTTP redirect. See Challenge Types - Let's Encrypt

To receive a certificate without running an HTTP server on port 80 you would need to use the DNS-01 challenge or the TLS-SNI-01 challenge. (The latter is still not practical for use with most web server software AFAIK.)

1 Like

Ben, possibly I have this setup incorrectly, but the site loads correctly for high majority. The IIS bindings are listed for both the IPv4 and IPv6 on port 80 for both osmble.com and wwww.osmble.com (see original post). Within Windows IIS, Force SSL is turned on. I then have in the IIS Errors section for status codes 403.4 403.5 and 403.14 to execute a javascript which redirects to the https address. The file in the root that is executed is: /redirectssl.htm which is the following:

function goElseWhere()
{
var oldURL = window.location.hostname + window.location.pathname;
var newURL = "https://" + oldURL;
window.location = newURL;
}
goElseWhere();

I have been hosting this site for 9+ years with no issues reported until now, but it appears to only be when a client is on a IPv6 Only network, but a lot of this stuff is foreign to me. I am open for any suggestions to try. Thanks for your reponse; any and all are helpful.

Can you show result of these from your server

curl -4 https://ifconfig.co
curl -6 https://ifconfig.co
5 Likes

Mike, not familiar with curl, but "I think" the Windows CMD translation is PING ??
ping -4 ifconfig.co returns: 172.64.162.15 (4 packets sent and 4 packets received; 0 Lost)
ping -6 ifconfig.co returns: 2606:4700:e4::ac40:a20f (4 packets sent and 0 packets received; Request timed out x 4; 100% loss)

Try showing the output of:
ipconfig

5 Likes

Those curl commands work on my Windows 10 PC. Or the ipconfig from rg305

The ping outputs are not helpful

4 Likes

The results for IPCONFIG are too long to put in here, but the IPv6 address of 2602:fe92:5::106 is listed (along with 80+ other IPv6 addresses and the IPv4 address of: 184.105.108.176 is also listed (along with 90+ other IPv4 addresses). Somewhere in previous posts, I had accidentally stated 184.105.180.176 (that was a typo) it is: 184.105.108.176 and it IS listed in the ipconfig results.
FYI: curl is NOT a recognized command from the server.

Thanks. I see now only supported starting Windows Server 2019 (and Windows 10 too)
I couldn't figure out an alternative with invoke-webrequest.

Do you have any machine outside your network to try an IPv6 request to your domain?

Or, try removing the AAAA record from the DNS. Something seems wrong with the IPv6 config or routing. The reason your site works for most people is most still use IPv4.

4 Likes

Or on some linux (only) systems use
ip addr

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.