Add support for --listen-v6 to ACME standalone webserver
The ACME script allows passing "--listen-v6" to force IPv6 in standalone mode. In an environment with public IPv6 addresses only, this switch is required to get nc listen to the IPv6 address as by default it only listens to IPv4. I have tested it by adding "--listen-v6" to line 141 of acme_sh.inc and it got my Let's Encrypt setup working successfully.
A simple option in the UI, that forces IPv6 or IPv4 by passing "--listen-v6" and "--listen-v4", respectively, would be very handy.
Updated by Pim Pish almost 4 years ago
The acme.sh script also knows the ncaddr variable. If it is set to a specific IPv6 address all works so no modifications to the script should be necessary. Just mentioning as it might be another way of approaching this while the script seems already to be IPv6 capable.
Updated by David Summers almost 4 years ago
I just ran into this today. I tried to get the Lets Encrypt working. I only have an IPv6 DNS name associated with this pfsense router.
I found out that the ACME script seems to only listen on the IPv4 address. If there could be either a way to force IPv6 (--listen-ipv6) or give the specific address to listen on then that should fix the issue.
I had to hack the script to add the --listen-ipv6 option and then everything worked great.
Other than that one problem, the whole ACME / Let's Encrypt seems to work great on PfSense.
Updated by Alfred Barnat almost 4 years ago
I'm using HAProxy to allow multiple hosts behind a router to issue Let's Encrypt certificates, using HTTP verification with traffic routed based on domain. I literally spent hours trying to figure out why this wasn't working with the HAProxy backend sending traffic to localhost. Turns out, the problem was simply that HAProxy was trying to open a connection to ::1, and Acme wasn't listening for IPv6 connections.
Looks like Let's Encrypt does support IPv6 [[https://letsencrypt.org/2016/07/26/full-ipv6-support.html]], so this has the potential to affect even much more straightforward setups.
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Resolved
This is implemented in the ACME package version 0.1.33, for HTTP and TLS standalone entries there is now a checkbox to bind to IPv6 instead of IPv4. The acme.sh script doesn't support both at the moment, so it can only bind to v4 (current default and what you get when the box is unchecked) or IPv6 (check the box).