jenkins-debian-glue.org is missing IP connectivity and only has Legacy-IP assigned

[oerdnj]

jenkins-debian-glue.org is not accessible via IP connectivity since it has only IPv4 address:

$ kdig +short IN AAAA jenkins-debian-glue.org
$ 

Also the primary location of automatic script hosted on https://raw.github.com is unreachable over IPv6-only systems both failing to download apply.sh, but also fails to run the script:

# bash ./apply.sh random_password
./apply.sh: line 4: 11131 0-11131 0: syntax error in expression (error token is "0-11131 0")
--2016-04-25 14:27:59--  https://raw.github.com/mika/jenkins-debian-glue/master/puppet/jenkins_debian_glue.pp
Resolving raw.github.com (raw.github.com)... 185.31.17.133
Connecting to raw.github.com (raw.github.com)|185.31.17.133|:443... failed: Network is unreachable.
grep: jenkins_debian_glue.pp: No such file or directory
################################################################################
Warning: string PASSWORD_HASH_TO_BE_ADJUSTED not found in jenkins_debian_glue.pp
Notice that rerunning ./apply.sh with a different password might not work as expected.
To make sure adjusting the password works please execute:

  rm jenkins_debian_glue.pp
  ./apply.sh <your_password> https://raw.github.com/mika/jenkins-debian-glue/master/puppet/jenkins_debian_glue.pp

################################################################################
Error: can not find jenkins_debian_glue.pp.
Either manually grab https://raw.github.com/mika/jenkins-debian-glue/master/puppet/jenkins_debian_glue.pp
       or run ./apply.sh <http://path/to/some/puppetfile.pp>

Could you please make the whole system accessible from machines that has only IPv6 connectivity, please?

[mika]

I'll see when I find time for setting up IPv6 for jenkins-debian-glue.org, though for downloading this file from raw.github.com there's nothing I can do about it until github provides IPv6 support. You can just grab https://raw.github.com/mika/jenkins-debian-glue/master/puppet/jenkins_debian_glue.pp on some IPv4 enabled system though and then place it next to the apply.sh file, then no further dependency WRT IPv6 should be missing.

[oerdnj]

More errors:

I am guessing this is related to the default address for listening:

Warning: Could not retrieve fact ipaddress

as the script ends with:

Now point your browser to http://:8080

And here's again external repository without IPv6 connectivity, I'll report with jenkins-ci.org.

Error: /usr/bin/wget -O - 'http://pkg.jenkins-ci.org/debian-stable/jenkins-ci.org.key' | /usr/bin/apt-key add - returned 2 instead of one of [0]
Error: /Stage[main]/Jenkins::Repos/Apt::Key[D50582E6]/Exec[/usr/bin/wget -O - 'http://pkg.jenkins-ci.org/debian-stable/jenkins-ci.org.key' | /usr/bin/apt-key add -]/returns: change from notrun to 0 failed: /usr/bin/wget -O - 'http://pkg.jenkins-ci.org/debian-stable/jenkins-ci.org.key' | /usr/bin/apt-key add - returned 2 instead of one of [0]

followed by zillion of Warnings about Jenkins configuration because of Skipping because of failed dependencies. Found an issue in the upstream JIRA, but the upstream is kinda jerk closing the bug because he doesn't care about IPv6, so I created an IPv6+TLS proxy for jenkins repository at https://jenkins.rfc1925.org/debian-stable/.

As for the external addresses - you can either host those files yourself or have a simple TLS IPv6 proxy for raw.github.com on jenkins-debian-glue.org/git/ similar to mine for jenkins.

[mika]

Yes, the IP address identification fails for you inside:

IP=$(ip addr show dev $(route -n | awk '/^0\.0\.0\.0/{print $NF}') | awk '/inet / {print $2}' | head -1 |sed "s;/.*;;")

If you've a version for me that works for both IPv6 and IPv4 I'd happily change that (or welcome PR of course). :)

I'm not sure I want to host those files myself yet (possible risk of having out-of-date files compared to what's in git), though the proxy might be indeed an option. I'd have to play with the TLS IPv6 proxy, do you have some configuration files/instructions/... that might serve as a starting point for me?

[oerdnj]

I use this for my setup:

# cat jenkins.rfc1925.org
server {
  listen 0.0.0.0:80;
  listen [::]:80;

  server_name jenkins.rfc1925.org;

  return 301 https://$server_name$request_uri;
}

server {
  listen 0.0.0.0:443;
  listen [::]:443;

  server_name jenkins.rfc1925.org;

  access_log /var/log/nginx/jenkins.rfc1925.org-access.log;
  error_log  /var/log/nginx/jenkins.rfc1925.org-error.log;

  include /etc/nginx/ssl_params;
  ssl_certificate         /etc/letsencrypt/live/jenkins.rfc1925.org/fullchain.pem;
  ssl_certificate_key     /etc/letsencrypt/live/jenkins.rfc1925.org/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/jenkins.rfc1925.org/chain.pem;

  location / {
    proxy_pass       http://mirrors.jenkins.io/;
    proxy_redirect default;
    proxy_buffering         off;
    proxy_set_header        X-Real-IP               $remote_addr;
    proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Protocol    $scheme;
  }
}

and

# cat ../ssl_params
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;

# ssl_ciphers "AES128+EECDH:AES128+EDH";

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
## Replace with your ssl_trusted_certificate. For more info see:
## - https://medium.com/devops-programming/4445f4862461
## - https://www.ruby-forum.com/topic/4419319
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
ssl_stapling on;
ssl_stapling_verify on;

resolver [fd00:5f0:c001:122:a8::1] valid=300s;
resolver_timeout 5s;

## [Optional] Generate a stronger DHE parameter:
##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
##
ssl_dhparam /etc/nginx/ssl/dh4096.pem;

location ~ ^/.well-known {
  allow all;
  autoindex on;
  root /etc/letsencrypt/webroot/;
}

And some letsencrypt automation https://github.com/oerdnj/letsencrypt-misc (but you have to run the initial letsencrypt manually).

[oerdnj]

As for IP address this might work:

IP=$(ip -6 a s dev $(ip -6 r s | awk '/^default / {print $5}') | awk '/inet6 .* scope global/ {print $2}' | head -1 |sed "s;/.*;;")
[ -z "$IP" ] && IP=$(ip -4 a s dev $(ip -4 r s | awk '/^default / {print $5}') | awk '/inet .* scope global/ {print $2}' | head -1 |sed "s;/.*;;")

[thctlo]

Can above be applied, this still fails on a clean minimal debian buster install. @oerdnj his options works for me.

[mika]

@thctlo I'd need to set up according infrastructure on my side first of all, since github doesn't yet support IPv6