What type of hardware are you using: Virtual machine
What YunoHost version are you running: 12.1.40.1
How are you able to access your server: SSH
Direct access via physical keyboard/screen
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: no
Describe your issue
Context:
Yunohost is a VM behind my router. IPv6 firewall is enabled on my router and blocks all IPv6 connections. Also, all ports are block except 443 and 22 on IPv4.
I wanted to renew the certificate of the server as it expired. I’m using *nohost.me subdomains and DynDNS.
Before renewing I needed to run the diagnosis.
The issue:
=================================
Web (web)
=================================
[WARNING] Could not diagnose if domains are reachable from outside in IPv4.
- Error: HTTPSConnectionPool(host='diagnosis.yunohost.org', port=443): Read timed out. (read timeout=30)
Share relevant logs or error messages
Hypothesis and debug:
My hypothesis is that the diagnoser sends the client request to diagnosis.yunhost.org:443 using the default on the system, and for some reason the default on the system uses the IPv6 stack when the router blocks everything related to IPv6.
The reason I believe that at this stage is because when I ping diagnosis.yunohost.org it tries ipv6 by default:
PING diagnosis.yunohost.org(yunohost.org (2001:910:1400:115::12)) 56 data bytes
^C
--- diagnosis.yunohost.org ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2043ms
When I ping with ping -4 diagnosis.yunohost.org:
PING (80.67.164.12) 56(84) bytes of data.
64 bytes from yunohost.org (80.67.164.12): icmp_seq=1 ttl=56 time=4.84 ms
64 bytes from yunohost.org (80.67.164.12): icmp_seq=2 ttl=56 time=5.43 ms
^C
--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 4.840/5.132/5.425/0.292 ms
I tried to find evidence to back this up in logs, but could not figure out where to look for the diagnosis logs, or they are empty (e.g. I did not find anything in /var/log/* ; can you point me in the right direction?).
I ran the diagnosis with debug, which did not give much more information:
67913 DEBUG Running diagnosis for web ...
67913 DEBUG Loading diagnoser web
67922 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
98002 DEBUG Updating cache /var/cache/yunohost/diagnosis/web.json
98003 WARNING Found 1 item(s) that could be improved for Web.
The question is therefore, how to disable ipv6 on the machine? Is there a yunohost setting (there is one for SMTP) or a general setting to disable this stack? Maybe, there is a way to run the diagnosis with a flag asking to use the IPv4 stack instead of default?
Also, there was an issue filed which is kind of related: error: automatic diagnosis - Timed-out while trying to contact your server from outside · Issue #1676 · YunoHost/issues · GitHub
EDIT:
My hypothesis seems wrong. I disabled ipv6 temporarily with:
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
but the issue persists. Same error, even though I can send requests to diagnosis.yunohost.org using IPv4. Hence, maybe the issue is related to the server not probing my server with IPv4?