Unable to renew certs - Domain appears unreachable through HTTP from outside the local network in IPv6, though it works in IPv4

Support
,
1

My YunoHost server

Hardware: Other ARM board
YunoHost version: latest stable
I have access to my server : Through SSH | through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
If yes, please explain:
Description of my issue

SSL certs will not renew for my main domain, automatically or manually.

the web diagnosis says “Domain xyz.noho.st appears unreachable through HTTP from outside the local network in IPv6, though it works in IPv4.”

i don’t need ipv6 at all, my router supports it but not sure if my isp does. regardless, my router reports http(s) ports are open for both, and i can access my main domain from outside my local network.

i dont understand how to debug the issue, as it seems incorrect.

also, surely the cert renewal mechanism does not require ipv6?

[old version of this issue: Diagnosis reports lots of ipv6 errors - wont allow certificates to install - #4 by armando-femat]

2

i receive this email also:

An attempt for renewing the certificate for domain boot.noho.st failed with the following
error :

Domain boot.noho.st does not seem to be accessible through HTTP. Please check the 'Web' category in the diagnosis for more info. (If you know what you are doing, use '--no-checks' to turn off those checks.)


Here's the tail of /var/log/yunohost/yunohost-cli.log, which might help to
investigate :

2022-07-21 06:10:49,258 DEBUG    moulinette.core acquire - lock has been acquired
2022-07-21 06:10:49,334 DEBUG    moulinette.actionsmap process - loading python module yunohost.dyndns took 0.076s
2022-07-21 06:10:49,335 DEBUG    moulinette.actionsmap process - processing action [23682.1]: yunohost.dyndns.update with args={'domain': None, 'force': False, 'dry_run': False}
2022-07-21 06:10:49,369 DEBUG    yunohost.utils.network (unknown function) - Fetching IP from https://ip.yunohost.org 
2022-07-21 06:10:49,671 DEBUG    urllib3.connectionpool (unknown function) - Starting new HTTPS connection (1): ip.yunohost.org:443
2022-07-21 06:10:49,849 DEBUG    urllib3.connectionpool (unknown function) - https://ip.yunohost.org:443 "GET / HTTP/1.1" 200 10
2022-07-21 06:10:49,853 DEBUG    yunohost.utils.network (unknown function) - IP fetched: 78.55.3.38
2022-07-21 06:10:49,896 DEBUG    yunohost.utils.network (unknown function) - Fetching IP from https://ip6.yunohost.org 
2022-07-21 06:10:49,910 DEBUG    urllib3.connectionpool (unknown function) - Starting new HTTPS connection (1): ip6.yunohost.org:443
2022-07-21 06:10:50,185 DEBUG    urllib3.connectionpool (unknown function) - https://ip6.yunohost.org:443 "GET / HTTP/1.1" 200 38
2022-07-21 06:10:50,192 DEBUG    yunohost.utils.network (unknown function) - IP fetched: 2a01:c23:64aa:6d00:d28d:3f84:cd9b:1c5c
2022-07-21 06:10:50,196 DEBUG    yunohost.dyndns (unknown function) - [23682.1] Building zone update file ...
2022-07-21 06:10:50,343 DEBUG    yunohost.dyndns (unknown function) - [23682.1] Old IPv4/v6 are (78.55.3.38, 2a01:c23:64aa:6d00:d28d:3f84:cd9b:1c5c)
2022-07-21 06:10:50,343 DEBUG    yunohost.dyndns (unknown function) - [23682.1] Requested IPv4/v6 are (78.55.3.38, 2a01:c23:64aa:6d00:d28d:3f84:cd9b:1c5c)
2022-07-21 06:10:50,343 INFO     yunohost.dyndns (unknown function) - [23682.1] No updated needed.
2022-07-21 06:10:50,344 DEBUG    moulinette.actionsmap process - action [23682.1] executed in 1.009s
2022-07-21 06:10:50,345 DEBUG    moulinette.core release - lock has been released
2022-07-21 06:20:02,491 DEBUG    moulinette.interface __init__ - initializing base actions map parser for cli
2022-07-21 06:20:02,495 DEBUG    moulinette.actionsmap __init__ - loading actions map namespace 'yunohost'
2022-07-21 06:20:02,499 DEBUG    moulinette.actionsmap _construct_parser - building parser...
2022-07-21 06:20:02,507 DEBUG    moulinette.actionsmap _construct_parser - building parser took 0.007s
2022-07-21 06:20:02,509 DEBUG    moulinette.core acquire - acquiring lock...
2022-07-21 06:20:02,537 DEBUG    moulinette.core acquire - lock has been acquired
2022-07-21 06:20:02,618 DEBUG    moulinette.actionsmap process - loading python module yunohost.dyndns took 0.081s
2022-07-21 06:20:02,619 DEBUG    moulinette.actionsmap process - processing action [23766.1]: yunohost.dyndns.update with args={'domain': None, 'force': False, 'dry_run': False}
2022-07-21 06:20:02,637 DEBUG    yunohost.utils.network (unknown function) - Fetching IP from https://ip.yunohost.org 
2022-07-21 06:20:02,930 DEBUG    urllib3.connectionpool (unknown function) - Starting new HTTPS connection (1): ip.yunohost.org:443
2022-07-21 06:20:03,166 DEBUG    urllib3.connectionpool (unknown function) - https://ip.yunohost.org:443 "GET / HTTP/1.1" 200 10
2022-07-21 06:20:03,170 DEBUG    yunohost.utils.network (unknown function) - IP fetched: 78.55.3.38
2022-07-21 06:20:03,191 DEBUG    yunohost.utils.network (unknown function) - Fetching IP from https://ip6.yunohost.org 
2022-07-21 06:20:03,197 DEBUG    urllib3.connectionpool (unknown function) - Starting new HTTPS connection (1): ip6.yunohost.org:443
2022-07-21 06:20:03,446 DEBUG    urllib3.connectionpool (unknown function) - https://ip6.yunohost.org:443 "GET / HTTP/1.1" 200 38
2022-07-21 06:20:03,449 DEBUG    yunohost.utils.network (unknown function) - IP fetched: 2a01:c23:64aa:6d00:d28d:3f84:cd9b:1c5c
2022-07-21 06:20:03,451 DEBUG    yunohost.dyndns (unknown function) - [23766.1] Building zone update file ...
2022-07-21 06:20:03,581 DEBUG    yunohost.dyndns (unknown function) - [23766.1] Old IPv4/v6 are (78.55.3.38, 2a01:c23:64aa:6d00:d28d:3f84:cd9b:1c5c)
2022-07-21 06:20:03,582 DEBUG    yunohost.dyndns (unknown function) - [23766.1] Requested IPv4/v6 are (78.55.3.38, 2a01:c23:64aa:6d00:d28d:3f84:cd9b:1c5c)
2022-07-21 06:20:03,582 INFO     yunohost.dyndns (unknown function) - [23766.1] No updated needed.
2022-07-21 06:20:03,582 DEBUG    moulinette.actionsmap process - action [23766.1] executed in 0.964s
2022-07-21 06:20:03,583 DEBUG    moulinette.core release - lock has been released
2022-07-21 06:25:05,097 DEBUG    moulinette.interface __init__ - initializing base actions map parser for cli
2022-07-21 06:25:05,101 DEBUG    moulinette.actionsmap __init__ - loading actions map namespace 'yunohost'
2022-07-21 06:25:05,105 DEBUG    moulinette.actionsmap _construct_parser - building parser...
2022-07-21 06:25:05,131 DEBUG    moulinette.actionsmap _construct_parser - building parser took 0.026s
2022-07-21 06:25:05,134 DEBUG    moulinette.core acquire - acquiring lock...
2022-07-21 06:25:05,161 DEBUG    moulinette.core acquire - lock has been acquired
2022-07-21 06:25:05,197 DEBUG    moulinette.actionsmap process - loading python module yunohost.domain took 0.035s
2022-07-21 06:25:05,197 DEBUG    moulinette.actionsmap process - processing action [23942.1]: yunohost.domain.cert.renew with args={'domain_list': [], 'force': False, 'email': True, 'no_checks': False, 'staging': False}
2022-07-21 06:25:05,335 DEBUG    yunohost.utils.ldap (unknown function) - initializing ldap interface
2022-07-21 06:25:05,509 ERROR    yunohost.certmanager (unknown function) - [23942.1] Domain boot.noho.st does not seem to be accessible through HTTP. Please check the 'Web' category in the diagnosis for more info. (If you know what you are doing, use '--no-checks' to turn off those checks.)
2022-07-21 06:25:05,509 ERROR    yunohost.certmanager (unknown function) - [23942.1] Sending email with details to root ...

-- Certificate Manager
3

If ipv6 is not configured, could you confirm that you have not set a AAAA record ?

dig AAAA domain.tld @89.234.141.66

Have you tried to force the cert renew ?

yunohost domain cert renew --no-checks domain.tld
4

forcing cert renew works, which suggests to me that its only the checks that don’t work. my ports and whatnot all seem to work fine.

but this means that ynh auto cert renew doesn’t work, i guess?

it’s frustrating that’s its so opaque.

dig command run with my domain returns:

;; ANSWER SECTION:
mydomain.noho.st.		3600	IN	AAAA	ipv6:address:here:

does that mean one is set but only for ipv6?

i’m out of my depth there.

5

A is for ipv4 AAAA for ipv6.
If you have a noho.st with ipv6 it means that you have ipv6 on your server.

Maybe your router is not configured to let ipv6 input go to your server. In this case that’s your issue. So you have 2 solutions:

  • deactivate ipv6 on the server totally
  • make ipv6 ports redirected to your server properly
6

thanks for the further details.

my confusion was due to my router’s config: any port forwarding is done for both v4 and v6 in the one action, and lists of open ports were same for both, and still i had this problem.

in the end i just disabled ipv6 on the server totally.

but also, it seems strange to me that ynh would require ipv6 ports to be fully working properly when ipv4 already is, merely in order to then do something that then only requires ipv4.

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.