Letsencrypt & IPv6

teg · June 18, 2023, 7:12pm

After migrating box from ubuntu 18.4 to 22.04 letsencrypt ssl certificate renewal stopped working. Now it is complaining all the time that AAAA record doesn’t match to the hosts IPv6 address:

“Certificate has a problem: The certificate is expiring soon: The certificate expires in 5 days on 2023-06-24. The domain name does not resolve to this machine: xxxx::xxxx:xxxx:xxxx:cf45 (AAAA).”

root@box:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxxx::xxxx:xxxx:xxxxx:cf45/64 scope link 
       valid_lft forever preferred_lft forever

What has gone wrong?

andrew · June 18, 2023, 11:58pm

I can’t tell you exactly what went wrong but I can see what you’ve got now.

With IPv6 you’ll have several addresses. (This will be clearer if you know your “static” address prefix.) For example, my box has 5 IPv6 addresses.

Addresses starting fc or fd are always “local” - should only used within your LAN. It looks like letsencrypt gave you a certificate for the local address. It is “conceivable” that address was working when your cert was generated, but these are normally only usable within your local facility (perhaps within your provider’s network).
Addresses starting fe are always genuinely local and not routed outside your LAN.
The address starting with your “static” prefix is your public address. This is the one that should be in your AAAA records etc. It should flagged as ‘scope global’

Run “ip a” and check that you have an address on your static prefix. If not, your box hasn’t obtained an IPv6 address! Does your provider handle IPv6?

If your provider doesn’t handle IPv6, disable it (this only works till the next reboot, but that’s all you need) and rerun the install script.

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1

If your provider does handle IPv6, check that your correct “public” address is in /etc/mailinxbox.conf on both the PUBLIC_IP= and PRIVATE_IP= lines. Check your DNS entries also have the “public” address. And then rerun the install script.

teg · June 19, 2023, 9:22am

The issues seemed to be in /etc/mailinabox.conf. There were wrong ipv6 address. I just made an OS upgrade and backupped old system, reinstalled OS and restored mailinabox backup. Because I also upgraded my VPS provider platform to a new one, probably ipv6 address has been changed and it was restored from backup.

It would be nice if mailinabox would give an error or warning if there is incorrect IP in the config file.

system · June 26, 2023, 9:23am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.