search

kchristensen / udm-le

Let's Encrypt support for Ubiquiti UniFi OS
MIT License
565 stars 79 forks source link

[BUG] #93

Closed hsiboy closed 2 months ago

hsiboy commented 2 months ago

Describe the bug certificate generation- Lego and IPv6?

To Reproduce Steps to reproduce the behavior:

  1. installed udm-le on a UDM pro
  2. add required details to udm-le.env for my DNS provider (mythicbeasts)
  3. ran ./udm-le.sh initial
  4. got an error (see below) forced update of lego to 4.16, but still has problem

Expected behavior The certificate to be renewed as per ACME

Error message

root@DreamMachineProfessional:/data/udm-le# ./udm-le.sh initial
install_lego(): Lego binary is already installed at /data/udm-le/lego, no operation necessary
create_services(): Creating udm-le systemd service and timer
initial(): Attempting certificate generation
initial(): /data/udm-le/lego --path "/data/udm-le/.lego" --dns mythicbeasts --dns.resolvers ns1.mythic-beasts.com --email webmaster@j-notation.co.uk --key-type rsa2048 -d unifi.j-notation.co.uk --accept-tos run
2024/04/18 16:45:29 [INFO] [unifi.j-notation.co.uk] acme: Obtaining bundled SAN certificate
2024/04/18 16:45:29 [INFO] [unifi.j-notation.co.uk] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3400XXXX3117
2024/04/18 16:45:29 [INFO] [unifi.j-notation.co.uk] acme: Could not find solver for: tls-alpn-01
2024/04/18 16:45:29 [INFO] [unifi.j-notation.co.uk] acme: Could not find solver for: http-01
2024/04/18 16:45:29 [INFO] [unifi.j-notation.co.uk] acme: use dns-01 solver
2024/04/18 16:45:29 [INFO] [unifi.j-notation.co.uk] acme: Preparing to solve DNS-01
2024/04/18 16:46:29 [INFO] [unifi.j-notation.co.uk] acme: Cleaning DNS-01 challenge
2024/04/18 16:47:29 [WARN] [unifi.j-notation.co.uk] acme: cleaning up failed: mythicbeasts: could not find zone for domain "unifi.j-notation.co.uk": [fqdn=_acme-challenge.unifi.j-notation.co.uk.] could not find the start of authority for '_acme-challenge.unifi.j-notation.co.uk.': DNS call error: read udp [2001:db8:1000::1]:40322->[2600:3c00:e000:19::1]:53: i/o timeout [ns=ns1.mythic-beasts.com:53, question='uk. IN  SOA'] 
2024/04/18 16:47:29 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/340045273117
2024/04/18 16:47:29 Could not obtain certificates:
    error: one or more domains had a problem:
[unifi.j-notation.co.uk] [unifi.j-notation.co.uk] acme: error presenting token: mythicbeasts: could not find zone for domain "unifi.j-notation.co.uk": [fqdn=_acme-challenge.unifi.j-notation.co.uk.] could not find the start of authority for '_acme-challenge.unifi.j-notation.co.uk.': DNS call error: read udp [2001:db8:1000::1]:51784->[2600:3c00:e000:19::1]:53: i/o timeout [ns=ns1.mythic-beasts.com:53, question='uk. IN  SOA']
initial(): Starting udm-le systemd timer
root@DreamMachineProfessional:/data/udm-le#

Version Information (please complete the following information):

Additional context This clearly an issue with lego and not udm-le.sh - but i cant understand why lego is requesting IPv6 (which timesout) when IPv6 is not enabled on the UDM, and the WAN IP is IPv4 - what is making lego use IPv6?

kchristensen commented 2 months ago

Can't say I've seen this before, what's your DNS_RESOLVER set to in your udm-le.env?

hsiboy commented 2 months ago

Got to the bottom of this... Leaving this here for anyone else who struggles with this.

My DNS provider (mythic beasts) is a big proponent for IPv6 and as such they added an AAAA record for @, the logs showed that the local IPv6 was timing out waiting for mythic beasts IPV6 NS server. So i removed the offending AAAA thinking it was the issue, but it still failed. Within the UI for the UDM Pro, IPv6 was disabled on all networks, and my ISP is IPv4 only, so i couldn't understand why the IPv6 was being used.

SSHing into the UDM pro, i checked for IPv6 on an interfaces with ip address show and the UDM Pro had IPv6 addresses on a large number of interfaces (physical and virtual), so i validated the config with sysctl -a | grep -i disable_ipv6 and this showed that IPv6 was not disabled.

I made a backup of /etc/sysctl.conf and then added:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.br0.disable_ipv6 = 1
net.ipv6.conf.br2.disable_ipv6 = 1
net.ipv6.conf.br42.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.dnsfilter.disable_ipv6 = 1
net.ipv6.conf.dnsfilter-0.disable_ipv6 = 1
net.ipv6.conf.dummy0.disable_ipv6 = 1
net.ipv6.conf.erspan0.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.eth1.disable_ipv6 = 1
net.ipv6.conf.eth10.disable_ipv6 = 1
net.ipv6.conf.eth10/2.disable_ipv6 = 1
net.ipv6.conf.eth10/42.disable_ipv6 = 1
net.ipv6.conf.eth2.disable_ipv6 = 1
net.ipv6.conf.eth3.disable_ipv6 = 1
net.ipv6.conf.eth4.disable_ipv6 = 1
net.ipv6.conf.eth5.disable_ipv6 = 1
net.ipv6.conf.eth6.disable_ipv6 = 1
net.ipv6.conf.eth7.disable_ipv6 = 1
net.ipv6.conf.eth8.disable_ipv6 = 1
net.ipv6.conf.eth9.disable_ipv6 = 1
net.ipv6.conf.eth9/2.disable_ipv6 = 1
net.ipv6.conf.eth9/42.disable_ipv6 = 1
net.ipv6.conf.gre0.disable_ipv6 = 1
net.ipv6.conf.gretap0.disable_ipv6 = 1
net.ipv6.conf.ifb0.disable_ipv6 = 1
net.ipv6.conf.ifb1.disable_ipv6 = 1
net.ipv6.conf.ifbppp0.disable_ipv6 = 1
net.ipv6.conf.ip6tnl0.disable_ipv6 = 1
net.ipv6.conf.ip_vti0.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.ppp0.disable_ipv6 = 1
net.ipv6.conf.sit0.disable_ipv6 = 1
net.ipv6.conf.switch0.disable_ipv6 = 1
net.ipv6.conf.switch0/1.disable_ipv6 = 1
net.ipv6.conf.switch0/2.disable_ipv6 = 1
net.ipv6.conf.switch0/42.disable_ipv6 = 1
net.ipv6.conf.tunovpnc1.disable_ipv6 = 1

and reloaded sysctl with sysctl -p ,so no need to reboot, and then ran udm-le and success!

I don't know why the UDM was assigning IPv6 to its interfaces, but it seems that GO (the language lego is written in) will default to IPv6 if it's available. There's no switch for lego to tell it to use IPv4