Let's Encrypt for IPv6 only websites


I have the following scenario:

My Raspberry Pi is externally reachable via IPv6, and IPv6 only. AAAA records are set and get updated automatically, my router is configured to let traffic on ports 80 and 443 through. Let’s Encrypt handles the certificate for my domain, the site itself is served via lighttpd.
Every installation was done via dietpi-software, configuration through dietpi-letsencrypt.

If I try to reach the domain over HTTP on port 80 everything works fine, HTTPS (port 443) on the other hand gets blocked. lsof -i -P shows me that lighttpd is listening on port 80 through IPv4 and IPv6 but only through IPv4 on port 443.
A quick look at the configuration dietpi-letsencrypt created (/etc/lighttpd/conf/enabled/letsencrypt.conf) showed that the server was listening through IPv4 only:

$SERVER["socket"] == ":443" { ...

Changing this to

$SERVER["socket"] == "[::]:443" { ...

made my site reachable from outside my home network and fixed the problem, for now.
I hope this configuration doesn’t get auto-generated each time the certificate is renewed.

Nevertheless, I don’t know how many people would affect this problem, but it took me a while to figure it out, so perhaps I can help people facing the same problem.
I am not that confident on GitHub, otherwise I would have created a pull-request for a change that respects a IPv6-only setup.

I hope someone of you can do this step, assuming that my text here wasn’t that unclear.
Thank you very much and stay safe all!



many thanks for you message. I’m not 100% sure, but I guess letsencrypt.conf is created by the LetsEnceypt tool and not by a DietPi script. Maybe MichaIng could have a look as developer :slight_smile:

Oh right, didn’t think about that.

The other thing is that with my solution I kinda blocked my server to listen on IPv4 (like on local network)… depsite lsof telling me that it is listening. Doubling the SSL configuration makes lighttpd fail to restart, so maybe I have bigger problems in my system than this here…
It’s a fresh install of DietPi, so I didn’t think about that, either sigh.

I found a 2 years old issue on our GitHub. At least that time, $SERVER[“socket”] == “[::]:443” { was the solution as well.


as It’s on the feature list, still something to work on for MichaIng :wink:

Hey guys,

indeed letsencrypt.conf is created by dietpi-letsencrypt as Certbot doesn’t support Lighttpd natively.

Indeed this is still an outstanding issue, even not too difficult to implement, actually. Bonsailinse Is your site reachable via IPv4 as well now with “[::]:443” only?

Sadly, it is not.

My router only support port forwarding for IPv6 so I am not able to tell if an external IPv4 would work, but from my network the box is not available ( gives no connection), if I change the config back to :443 it is the other way around.

It is something I can live with since I can just edit my hostfile to get an easy access, but still a strange behaviour since technically it should work, at least with both :443 and [::]:443 configured. Don’t know what causes the service to fail restarting.

The whole reason I chose lighttpd was the performance boost you guys mentioned in the docs, and since it’s a private project with no complicated configuration (well, besides this one here I guess) I wanted to give it a shot. Maybe I will switch back to nginx, but that would only solve the problem for me, not other lighttpd users :smiley: