Author Topic: Unable to install AutoSSL with IPv6 only  (Read 1803 times)

0 Members and 1 Guest are viewing this topic.

Unable to install AutoSSL with IPv6 only
« on: March 25, 2023, 07:01:06 PM »

My first post here, and new to CWP too. Well, here is my context:

- My ISP is using CGNAT, so I can't do port forwarding on IPv4. So, I did-it on IPv6 redirecting ports 80 & 443 to my server.
- The server is with Apache 2.4 in AlmaLinux 8.7 x86_64
- My domain (say "foo.tld") is defined as an add-on of a user through CWP 7
- I'm using a DDNS service for foo.tld, defining AAA record only to the server's IPv6 (ie. no A record for IPv4).
- The domain is well registered at a registrar pointing the name servers of the DDNS provider.

This way, the website is well reachable through http:// and the next step is https://. So, I tried to install an AutoSSL (LE) certificate, but it fails with this error: "DNS of your domain doesn't point to this server or you have htaccess restrictions".

At this point, I understand that LE wants an IPv4, while I read here and there (eg. and that Let's Encrypt supports the IPv6-only domains since 2016. So, what? Did I made a mistake at some points?

Of course, I tried to add a A record, but it fails too since there's no way to reach my server behind the box-router on the public IPv4.

Is there a way to create (and do renew will work) this AutoSSL certificate in this context? Or what's the alternative (staying in IPv6-only; not using VPN/tunelling with port forwarding on IPv4)?

And last question (I'm not used with this): does a self-signed certificate would do the job the same way as an LE certificate?

I need your enlighted help ;)

Re: Unable to install AutoSSL with IPv6 only
« Reply #1 on: March 25, 2023, 08:25:15 PM »
A few points to consider (from an outsider who is only using IPv4):
  • Is your server fully IPv6 compliant -- in the kernel and also CWP? And in Apache/Nginx:
  • The DNS/.htaccess error you noted usually stems from a redirect from HTTP to HTTPS. You must have HTTPS connections enabled.
  • If self-signed works for you, go for it! You control your own destiny. And honestly, renewing every 90 days is a pain!
  • Consider a Cloudflare Origin SSL Certificate instead if you only need HTTPS/443 service on the server. But their cert is limited to HTTP traffic and won't work with other services (mail,FTP, etc.)
  • Otherwise, consider investing in a Comodo PositiveSSL certificate. They typically run $10/yr and are industry standard. So it's set-it-and-forget-it, valid for 1 year. I've had many cases where this is the better option. Pay a few shekels and get peace of mind for a year!

Re: Unable to install AutoSSL with IPv6 only
« Reply #2 on: March 25, 2023, 09:18:45 PM »
OK, thanks overseer, I'll answer point by point:

- Yes, it's fully compliant: website is well reached on HTTP and all test passed (Apache is well listening on [::]:80 and [::]:443)
- I created the domain though CWP, then just added the "Listen" directive and changed VirtualHost block about ports for [::]
- Self-signed, I don't know if it works (didn't try), but I guess if LE exists it's because it's better than a self-signed one, no?
- OK, I keep Cloudflare in mind: just now, https only, but very soon I'll need mail and ftp, yes, certainly...
- Paying certs: hmm, I have ones for other websites which are not self-hosted, but the ones I would like to host are there to stay free.

But a last question remains (maybe the main one): why LE's team said it's IPv6-only compliant since 2016, while it's not at validation stage? Does it means it's working afterward, but we need IPv4 during the creation? It sounds a bit confuse for me...
« Last Edit: March 25, 2023, 09:20:40 PM by hilo »

Re: Unable to install AutoSSL with IPv6 only
« Reply #3 on: March 26, 2023, 01:15:18 PM »
This was from cPanel, but applies equally well here:
In AutoSSL, IPv6 checks take precedent and because these records do not resolve, the SSL checks fail. To address this, the IPv6 records should either be removed or updated to an address that is bound and resolves to the server.
Here are a couple of salient links:
if you have a working ipv6 configuration, Letsencrypt will use it. If your ipv6 is broken (AAAA record, but no / different answer checking http + /.well-known/acme-challenge/random-filename), that blocks creating a new certificate.

Re: Unable to install AutoSSL with IPv6 only
« Reply #4 on: March 26, 2023, 02:08:25 PM »
Thanks again overseer, I'll read all of this religiously. In the meantime, I'm trying to manage DNS-01 challenge; at this time, I found the certbot plugin about my DNS provider, but I encounter a credentials/token issue against their API, then I pushed a ticket to their support...

Re: Unable to install AutoSSL with IPv6 only
« Reply #5 on: March 27, 2023, 11:14:51 AM »

I couldn't say exactly what was wrong, but I finally created the LE certificate using (my DNS provider being Dynu), then inserted it manually in the right vhost conf.

Maybe a hint: once, I had to logout to the CWP's admin board and after re-login, I got a warning asking me if I would like to fix the httpd in use (didn't save the exact message, but something saying there was confusion between two configurations). Of course, I clicked the fix link :)

In the end, I don't know if CWP would now be able to generate an AutoSSL certificate, but it's done manually and the way I followed added the needed cron jobs for renewal.

The only drawback I see is that this certificate doesn't appear in the CWP list... Is there something to do CWP detects this certificate which was installed by hand? Of course, the certificate files are not in a standard location, but maybe CWP could scan the vhost conf files and display their existence in some ways on the GUI; even if CWP is not in charge to renew it anymore. What do you think?

Re: Unable to install AutoSSL with IPv6 only
« Reply #6 on: March 27, 2023, 02:38:04 PM »
Just an additional point that could help someone a day... I made a mistake: certbot doesn't create a cron job for renewal but has its own service.

So, I checked it using
Code: [Select]
systemctl list-timers --all
And seen that it's well there but inactive. I don't know if it's the normal behavior, but I fixed this running
Code: [Select]
sudo systemctl enable certbot-renew.timer
sudo systemctl start certbot-renew.timer