pfSense » pfSense Packages

https://forum.netgate.com/topic/195953/bug-24-11-acme-ipv6-cloudflare-issues-ipv4-not-respected

Using cloudflare dns w/token api for TXT record validation. In the cloudflare dash, under user api tokens, the token used by pfsense/acme has "CLIENT IP ADDRESS FILTERING" enabled. Effectively only certain ip's are valid for this token.

The attempt failed because only the ipv4 is whitelisted. Pfsense acme made the connection to api.cloudflare.com using ipv6.

Running curl within the pf shell shows the following. It appears to prefer ipv6 over ipv4 by default. I'm not sure if this is a change in curl behavior or acme, or the setting below (prefer ipv4) is not being applied.

In pf, under System/Advanced/Networking, Prefer IPv4 over IPv6 is checked. Is acme not validating this setting?

For now as a workaround i've whitelisted the ipv6 prefix. However my ip's are semi static and do change periodically. Normally just update the new ip in several places that need updating when that happens.

• Host api.cloudflare.com:443 was resolved.
• IPv6: 2606:4700:300a::6813:c0af, 2606:4700:300a::6813:c0ae, 2606:4700:300a::6813:c11d, 2606:4700:300a::6813:c0b0, 2606:4700:300a::6813:c01d, 2606:4700:300a::6813:c0b1
• IPv4: 104.19.192.177, 104.19.192.176, 104.19.193.29, 104.19.192.175, 104.19.192.29, 104.19.192.174
• Trying [2606:4700:300a::6813:c0af]:443...``

I could just add "-4" to line 1878 of https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-acme/files/usr/local/pkg/acme/acme.sh .

This would be the less elegant solution. Thinking more about this, it's possible previous acme/24.03 didn't encounter this issue because of the way dns presented the ip's and the ipv4 was chosen first.

Should prefer ipv4 apply to acme?