Let's Encrypt for IPv6 only websites Topic is solved

Having issues with your DietPi installation, or, found a bug? Post it here.
Post Reply
Bonsailinse
Posts: 3
Joined: Thu Jul 30, 2020 2:40 am

Let's Encrypt for IPv6 only websites

Post by Bonsailinse »

Hey!

I have the following scenario:

My Raspberry Pi is externally reachable via IPv6, and IPv6 only. AAAA records are set and get updated automatically, my router is configured to let traffic on ports 80 and 443 through. Let's Encrypt handles the certificate for my domain, the site itself is served via lighttpd.
Every installation was done via dietpi-software, configuration through dietpi-letsencrypt.

If I try to reach the domain over HTTP on port 80 everything works fine, HTTPS (port 443) on the other hand gets blocked. lsof -i -P shows me that lighttpd is listening on port 80 through IPv4 and IPv6 but only through IPv4 on port 443.
A quick look at the configuration dietpi-letsencrypt created (/etc/lighttpd/conf/enabled/letsencrypt.conf) showed that the server was listening through IPv4 only:

Code: Select all

$SERVER["socket"] == ":443" { ... 
Changing this to

Code: Select all

$SERVER["socket"] == "[::]:443" { ... 
made my site reachable from outside my home network and fixed the problem, for now.
I hope this configuration doesn't get auto-generated each time the certificate is renewed.

Nevertheless, I don't know how many people would affect this problem, but it took me a while to figure it out, so perhaps I can help people facing the same problem.
I am not that confident on GitHub, otherwise I would have created a pull-request for a change that respects a IPv6-only setup.

I hope someone of you can do this step, assuming that my text here wasn't that unclear.
Thank you very much and stay safe all!

Bonsailinse
User avatar
Joulinar
Posts: 2555
Joined: Sat Nov 16, 2019 12:49 am

Re: Let's Encrypt for IPv6 only websites

Post by Joulinar »

Hi,

many thanks for you message. I'm not 100% sure, but I guess letsencrypt.conf is created by the LetsEnceypt tool and not by a DietPi script. Maybe @MichaIng could have a look as developer :)
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Bonsailinse
Posts: 3
Joined: Thu Jul 30, 2020 2:40 am

Re: Let's Encrypt for IPv6 only websites

Post by Bonsailinse »

Oh right, didn't think about that.

The other thing is that with my solution I kinda blocked my server to listen on IPv4 (like on local network)... depsite lsof telling me that it is listening. Doubling the SSL configuration makes lighttpd fail to restart, so maybe I have bigger problems in my system than this here...
It's a fresh install of DietPi, so I didn't think about that, either *sigh*.
User avatar
Joulinar
Posts: 2555
Joined: Sat Nov 16, 2019 12:49 am

Re: Let's Encrypt for IPv6 only websites

Post by Joulinar »

I found a 2 years old issue on our GitHub. At least that time, $SERVER["socket"] == "[::]:443" { was the solution as well.

https://github.com/MichaIng/DietPi/issu ... -397892697

as It's on the feature list, still something to work on for @MichaIng ;)
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
MichaIng
Site Admin
Posts: 2421
Joined: Sat Nov 18, 2017 6:21 pm

Re: Let's Encrypt for IPv6 only websites

Post by MichaIng »

Hey guys,

indeed letsencrypt.conf is created by dietpi-letsencrypt as Certbot doesn't support Lighttpd natively.

Indeed this is still an outstanding issue, even not too difficult to implement, actually. @Bonsailinse Is your site reachable via IPv4 as well now with "[::]:443" only?
Bonsailinse
Posts: 3
Joined: Thu Jul 30, 2020 2:40 am

Re: Let's Encrypt for IPv6 only websites

Post by Bonsailinse »

Sadly, it is not.

My router only support port forwarding for IPv6 so I am not able to tell if an external IPv4 would work, but from my network the box is not available (192.168.0.42 gives no connection), if I change the config back to :443 it is the other way around.

It is something I can live with since I can just edit my hostfile to get an easy access, but still a strange behaviour since technically it *should* work, at least with both :443 and [::]:443 configured. Don't know what causes the service to fail restarting.

The whole reason I chose lighttpd was the performance boost you guys mentioned in the docs, and since it's a private project with no complicated configuration (well, besides this one here I guess) I wanted to give it a shot. Maybe I will switch back to nginx, but that would only solve the problem for me, not other lighttpd users :D
Post Reply