Project

General

Profile

Actions

Feature #7519

closed

Add support for --listen-v6 to ACME standalone webserver

Added by Michael Duller over 7 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
ACME
Target version:
-
Start date:
05/04/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

The ACME script allows passing "--listen-v6" to force IPv6 in standalone mode. In an environment with public IPv6 addresses only, this switch is required to get nc listen to the IPv6 address as by default it only listens to IPv4. I have tested it by adding "--listen-v6" to line 141 of acme_sh.inc and it got my Let's Encrypt setup working successfully.

A simple option in the UI, that forces IPv6 or IPv4 by passing "--listen-v6" and "--listen-v4", respectively, would be very handy.

Actions #1

Updated by Jim Thompson over 7 years ago

  • Assignee set to Jim Pingle
Actions #2

Updated by Jim Thompson over 7 years ago

  • Category set to ACME
Actions #3

Updated by Pim Pish about 7 years ago

The acme.sh script also knows the ncaddr variable. If it is set to a specific IPv6 address all works so no modifications to the script should be necessary. Just mentioning as it might be another way of approaching this while the script seems already to be IPv6 capable.

Actions #4

Updated by Michael Duller about 7 years ago

Pim, thanks for the info about ncaddr. My request was not about the script itself but about the UI, to provide a an option in the UI that passes "--listen-v6" or the "ncaddr", for example.

Actions #5

Updated by David Summers about 7 years ago

+1

I just ran into this today. I tried to get the Lets Encrypt working. I only have an IPv6 DNS name associated with this pfsense router.

I found out that the ACME script seems to only listen on the IPv4 address. If there could be either a way to force IPv6 (--listen-ipv6) or give the specific address to listen on then that should fix the issue.

I had to hack the script to add the --listen-ipv6 option and then everything worked great.

Other than that one problem, the whole ACME / Let's Encrypt seems to work great on PfSense.

Thanks!

Actions #6

Updated by Chaos215 Bar2 almost 7 years ago

Another +1.

I'm using HAProxy to allow multiple hosts behind a router to issue Let's Encrypt certificates, using HTTP verification with traffic routed based on domain. I literally spent hours trying to figure out why this wasn't working with the HAProxy backend sending traffic to localhost. Turns out, the problem was simply that HAProxy was trying to open a connection to ::1, and Acme wasn't listening for IPv6 connections.

Looks like Let's Encrypt does support IPv6 [[https://letsencrypt.org/2016/07/26/full-ipv6-support.html]], so this has the potential to affect even much more straightforward setups.

Actions #7

Updated by Jim Pingle almost 7 years ago

  • Status changed from New to Resolved

This is implemented in the ACME package version 0.1.33, for HTTP and TLS standalone entries there is now a checkbox to bind to IPv6 instead of IPv4. The acme.sh script doesn't support both at the moment, so it can only bind to v4 (current default and what you get when the box is unchecked) or IPv6 (check the box).

Actions

Also available in: Atom PDF