Open robgnu opened 2 years ago
promd
commented
1 year ago I am facing the sa,e issue with IPv6-only DynDNS domains. A fix would be fantastic.
The logs of the acme client indicate that the resonse is invalid, the log of the plugin only mentions the IPv4 address to be used (which does not get resolved by the DynDNS provider)
discordier
commented
2 months ago Having the same problem as @promd. OPNsense is only reachable via IPv6 but is listening on an internal IPv4.
Trying via CLI and passing --listen-v6 did not solve anything.
I found the following issue in openbsd tracker, which might be related (given opnsense is based on BSD): https://github.com/acmesh-official/acme.sh/issues/5065
stolendata
commented
2 months ago @robgnu @promd @discordier
A makeshift solution is to hard-code your IPv6 address in the ncaddr parameter in _startserver() like so:
...
_startserver() {
content="$1"
ncaddr="$2"
...... change to ...
...
_startserver() {
content="$1"
ncaddr="xxxx:yyyy:zzzz::etc"
...If you're uncertain of what your IPv6 address is, or if it keeps changing, you may use ::.
discordier
commented
1 month ago @stolendata Thanks for your suggestion but it's not working for me. The request gets sent correctly, yet the listening does still not work.
OPNsense stays attached to port 80 on IPv6, therefore I see in the logs something along the lines of:
== Info: Connected to [REDACTED] () port 80
GET /.well-known/acme-challenge/[REDACTED]
HTTP/1.1 301 Moved Permanently
Location: https://[REDACTED]/.well-known/acme-challenge/[REDACTED]OPNSense is always redirecting to HTTPs.
I wonder how this is supposed to work at all, given that the web interface apparently must get shut down temporarily? Can't we make certbot put the secrets in a (no pun intended) .well-known directoy that OPNSense will serve from its webserver?
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe. Some OPNsense Firewalls that I've configured are IPv6 only by the ISP (CG-NAT). Trying to issue a certificate via HTTP-01 always fails. For my understanding acme.sh only listens on IPv4 Interfaces by default.
Describe the solution you'd like But there is a command line option in acme.sh to listen on IPv6:
--listen-v6. Maybe there is an easy way to integrate this option into the Plugin-GUI? It would be really nice, because more and more ISPs are switching to CG-NAT configuration.Thank you Robert.