Hi. I have a site that if I access it with ipv4, the certificate works. If I access it via ipv6, it doesn't - it gets the server's default certificate. I had it so that the web site config was ip4=* and ip6=blank. I have since changed it to ipv4=* and ipv6=server's real IP6 address That caused the lets' encrypt checkbox to become disabled. I re-enabled, waited, restarted the web server, but the problem remains. Any ideas how to get ipv6 ssl certificates to work? sample run: $ curl https://jneurophilosophy.com --verbose * Rebuilt URL to: https://jneurophilosophy.com/ * Trying 2a01:4f8:120:6305::2... * TCP_NODELAY set * Connected to jneurophilosophy.com (2a01:4f8:120:6305::2) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, [no content] (0): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=kalfaoglu.net * start date: Feb 9 16:05:48 2025 GMT * expire date: May 10 16:05:47 2025 GMT * subjectAltName does not match jneurophilosophy.com * SSL: no alternative certificate subject name matches target host name 'jneurophilosophy.com' * Closing connection 0 * TLSv1.3 (OUT), TLS alert, [no content] (0): * TLSv1.3 (OUT), TLS alert, close notify (256):
SSL works fine out of the box with IPv6 if networking is configured correctly on the server outside of ISPConfig. The recommended setting for websites is ip4=* and ip6=blank, this enables IPv4 and IPv6 for the site as a name virtual host. Follow the Let's Encrypt error FAQ https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ to find out why LE does not work on your server when you request a certificate.
Many thanks.. All my VirtualHost statements look like this: <VirtualHost *:80> <VirtualHost *:443> From browsing the net, I see that it should include the [::] or something as well? apache conf contains this as the only Listen line.. httpd.conf:Listen 80 but: # netstat -tulpn | grep :80 tcp6 0 0 :::80 :::* LISTEN 2160812/httpd tcp6 0 0 :::8081 :::* LISTEN 2160812/httpd tcp6 0 0 :::8080 :::* LISTEN 2160812/httpd do these look normal?
No, it should not contain that. * in virtualhost means IPV4 and IPv6, see Apache documentation: https://httpd.apache.org/docs/2.4/mod/core.html#virtualhost You can try adding Code: Listen [::]:80 Listen [::]:443 in httpd.conf. But as you can reach your web server on IPv6, it should not be needed.
It turns out it's a bit crazier than that.. I don't yet have ipv6, but when someone connects from an ipv6 enabled system to that same web site (jneurophilosophy.com), first he/she gets a warning saying mismatch of certificate. if he/she clicks Continue Anyway, they get the default site of the server, kalfaoglu.net! Btw, Apache refuses the Listen [::]:80 Listen [::]:443 commands. probably because there is a Listen 80 a few lines above that.
I asked deepseek and it recommend I add more entries for VirtualHost, but I don't want to manually edit things that ISPCONFIG takes care of. This was the recommendation: Code: <VirtualHost *:80> ServerName jneurophilosophy.com ServerAlias www.jneurophilosophy.com DocumentRoot /var/www/jneurophilosophy.com/public_html # Other configurations... </VirtualHost> <VirtualHost *:443> ServerName jneurophilosophy.com ServerAlias www.jneurophilosophy.com DocumentRoot /var/www/jneurophilosophy.com/public_html SSLEngine on SSLCertificateFile /etc/letsencrypt/live/jneurophilosophy.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/jneurophilosophy.com/privkey.pem # Other SSL configurations... </VirtualHost> <VirtualHost [2a01:4f8:120:6305::2]:80> ServerName jneurophilosophy.com ServerAlias www.jneurophilosophy.com DocumentRoot /var/www/jneurophilosophy.com/public_html # Other configurations... </VirtualHost> <VirtualHost [2a01:4f8:120:6305::2]:443> ServerName jneurophilosophy.com ServerAlias www.jneurophilosophy.com DocumentRoot /var/www/jneurophilosophy.com/public_html SSLEngine on SSLCertificateFile /etc/letsencrypt/live/jneurophilosophy.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/jneurophilosophy.com/privkey.pem # Other SSL configurations... </VirtualHost> Right now the jneurophilosophy.com.vhost file contains: <VirtualHost *:80> (....) VirtualHost *:443> (...)
FOUND IT. that site's vhost file is erroneous. The other sites all have a special section that describes the ipv6 like this: <VirtualHost [2a01:4f8:120:6305::2]:80> this site didn't. It only had entries like I quoted. When this Web site was originally created it showed: ipv4: * ipv6: (blank) which I then switched to ipv4: * ipv6: [2a01...etc..server ipv6] but for some reason it did not re-create the vhost file. Now I'm making some small changes to the conf (just enabled python!) and hope it will re-create vhost correctly. Followup: I found an '.err' file in the sites-available for this site. Deleted that file, but it recreated it!
If you followed my suggestions, this should not be in the vhost or in the default installation. There should be just * and not an IPv6 address for IPv6. See read before posting, chapter 2: https://forum.howtoforge.com/threads/please-read-before-posting.58408/ Never mix * and IP addresses. So the best thing to do is to do what I suggested: always select * in the IPv4 field and nothing in the IPv6 field. Then you should just have * in the virtualhost section which makes it work for IPv6 and IPv4. The IPv6 address shall not be there in this case, so this vhost was correct and the others are wrong. By selecting something in IPv6 field, as you seem to have done, the system must fail if you do not do it consistently. And if a site can not be recreated, that's covered in read before posting as well.
Deleting the .err file can not solve anything. The .err file is the reference for you for the error; ignoring an error by deleting the info which helps you to find the reason does not make it go away. See read before posting, chapter 5, it's all covered there. The most likely reason for your issue is that you entered something in the Apache directives field that your server does not understand, or you enabled a feature in the site that your system does not support.
OK, I changed it back to * for ipv4 and nothing for ipv6. Checked the vhost file, it is created correctly - no sign of ipv6 there. Flushed caches, restarted httpd and php74-fpm, but I'm again getting kalfaoglu.net web page when I try to visit jneurophilosophy.com. I wonder if the ipv6 IP needs to be defined to be vhost-based in apache, like host-based IP or something. I vaguely remember something like that.
You must do this for all sites, see read before posting. Apache must fail as soon as you start mixing IPv6 or IPV4 addresses with *. Therefore, use only * or you must use everywhere the IP addresses, which works but is more likely to fail. No. I posted the link to the Apache doku, which explains that in detail. nameVirtualhost directive is not needed anymore today.
I just finished that. I used the GUI to set all ip6: to blank. Now it looks like: [root@latte sites-available]# grep VirtualHost * |grep ::|more 000-default.vhost:<VirtualHost [2a01:4f8:120:6305::2]:80> 000-default.vhost:<VirtualHost [2a01:4f8:120:6305::2]:443> UPDATE: I manually edited that default vhost and removed the IP6 virtualhost definitions. and apache started working fine! Many thanks!
