Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to generate standalone certs with ipv6 enabled #710

Open
Byh0ki opened this issue Nov 9, 2020 · 4 comments
Open

Unable to generate standalone certs with ipv6 enabled #710

Byh0ki opened this issue Nov 9, 2020 · 4 comments

Comments

@Byh0ki
Copy link

Byh0ki commented Nov 9, 2020

Hello,

I was trying to generate a cert for a standalone service but it wasn't working for some reasons. After a little digging, I found that trying to reach http://example.com/.well-known/acme-challenge/ was not working during the cert generation loop (after a manual call to /app/signal_le_service) even if the file standalone-cert-example.com.conf was in /etc/nginx/conf.d/. I tried to replicate the issue with a copy of the previously generated file and found out that it was missing the line listen [::]:80;(maybe on purpose ?). I'm currently on a dual stack server and if I correctly understood the error message I got from the companion[1], Let's Encrypt will perform the challenge validation over IPv6 if my domain's DNS entry has both A and AAAA fields. I added the proper line and everything worked fine.

I don't know if it's a good idea to add the line listen [::]:80; by default in the add_standalone_configuration function ? Or maybe we could find a way to add it dynamically ?

https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/blob/711c56acc160ea921cbc5797b5dc39d28df044bc/app/functions.sh#L115

[1] CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/).

Thanks,

Byh0ki

@buchdag buchdag added kind/bug Issue reporting a bug status/needs-more-info labels Dec 26, 2020
@buchdag
Copy link
Member

buchdag commented Mar 8, 2021

@Byh0ki sorry for the very late reply

nginx-proxy is doing this on nginx.tmpl :

{{ if $enable_ipv6 }}
listen [::]:{{ $external_https_port }} ssl http2;
{{ end }}

I haven't experimented with real IPv6 enabled Docker setup yet (as in I relied on the fact that Docker proxy IPv6 to IPv4 by default, like a lot of people) and I'm not sure what would be the implication of adding listen [::]:80; by default.

Now might be a good time to test because Docker recently broke that default behaviour of proxying IPv6 requests to IPv4, and hasn't fixed it yet.

@Byh0ki
Copy link
Author

Byh0ki commented Mar 13, 2021

Hello @buchdag, I use a quick fix for the moment so it's ok.

Yes, it's working on nginx-proxy end but it's not working for the
standalone configs because they're not generated by docker-gen.
Currently, I rely on letsencrypt-nginx-proxy-companion for the
certificates generation with the function add_standalone_configuration
(so effectively adding the nginx conf for
location ^~ /.well-known/acme-challenge/to nginx) on this vhost. I
then generate the full nginx conf that need existing certificate to work.

I have disabled userland-proxy in docker for a while because
docker-proxy is a userland proxy and it loses the source IP so it's
not a great way of doing IPv6 with Docker. Instead, I use a "hack" that
mirror IPv4 forward and nat tables to the IPv6 tables. It's not the best
because doing NAT with IPv6 seems so wrong but at least it allows a dual
stack docker setup quite painlessly. Here the daemon I use: docker-ipv6nat.

--
Byh0ki

@buchdag
Copy link
Member

buchdag commented Mar 13, 2021

Correct me if I'm wrong but I guess the two options for the problem at hand would be to either detect if nginx-proxy has IPv6 enabled or use our own ENABLE_IPV6 environment variable, then add the directive to listen over IPv6 on the standalone config if needed.

@Byh0ki
Copy link
Author

Byh0ki commented Mar 13, 2021

Both solutions are good but the first one might be better because we would have the same behavior between the two applications.

@buchdag buchdag removed the kind/bug Issue reporting a bug label Jan 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants