Solved Another issue with IPv6

[Mika Sarmantti]

I have followed all guides and forum posts about getting DA to work with IPv6, but I cannot get it working properly. Issue is somewhat pressing, as one of the SSL certificates is about to expire, and this IPv6 issue is causing the Let's Encrypt service to fail, as host is unreachable.

Direct admin has IPv6 enabled:

# grep ipv6 /usr/local/directadmin/conf/directadmin.conf
ipv6=1

Service has been restarted couple times since.

"directadmin o" does not say server is compiled with IPv6, but as I understood this might be CentOS or older DA feature that doesn't work same way on Debian machines:

# /usr/local/directadmin/directadmin o
version: 1.678
build: 90d433d7934dc7580b954eaa88abf652c95973e7
arch: amd64
os: linux
package: directadmin_90d433d7934dc7580b954eaa88abf652c95973e7_linux_amd64.tar.gz
distro: debian12
eol: 2028-09-01 00:00:00
eol timestamp: 1851379200

But netstat -lnp | :443 lists several nginx: work processes listening the ports, so.. that should mean IPv6 support is on.
There is also other ipv6 instances listening various ports.

I am also able to ping google and client's address with ping -6 from the machine. But, I'm guessing the pinging of IPv6 shorts some loops and mainly checks if localhost is responding. That being said, localhost responds to IPv6 given in DNS records, so that should mean it's correctly set up in those..?

As mentioned, ping does go through with domain name. I then try to use curl to reach test file made into .well-known/acme-challenge/ folder. On IPv4 this returns "200 OK" but with -6 flag: "Failed to connect to <domain> port 443 after 1ms: couldn't connect to server."
This -- to me -- suggests there is something wrong with how the nginx/apache IPv6 is set up. Server seems perfectly capable of handling it.

In path: cat /usr/local/directadmin/data/admin/ips/
I have 3 IP's listed, server IPv4, shared IPv4, and shared IPv6.
Currently shared IPv4 is has linked_ips directing to.. something, from control panel this is IPv6.

As reseller/admin I have set up the IP to be linked and global. And I have been able to add the IPv6 as additional IP for the client(s).

I initially read the official instruction that specify that you must click IPv6 and link it to IPv4, but today reading the comments it seems this is false information and you must link Server IPv4 into Shared IPv6, but then another official source specifically mentions not to link shared IPv4s with server IPv4's. So.. this part certainly requires extra clarification in the documents. That being said, I have tried all possible combinations with linking IP's and none of them gets me anywhere. There was even time when IPv6 was linked to IPv4 which was linked back to IPv6.
I might also suggest that the "Link IP" user interface should be more clear what linking does, which way data propagates, and maybe even give example or few how to use or properly in some info section

Successful requests to .well-known test file are logged in httpd/domain/customer.log, but failed IPv6 connections are seemingly not registering anywhere. I'm guessing it's because of the nginx/apache dual config. Which I have not set up, and do not know how it's supposed to work, but appears to be that nginx captures all incoming requests and redirects them to apache for handling. But nginx logs do not react when I try to fetch the test file with IPv6.

Any ideas what I may have missed and what to check next.

 

[Richard G]

you must click IPv6 and link it to IPv4

I don't know about nGinx things, but I do now for ipv6 to get this working as should be, you have to click ipv4, then select the ipv6 in there and link it to the ipv4. That is the only correct way.
Backlinking (so linking the ipv4 to the ipv6) should not be done.

Be aware that normally (I don't know about nGinx) you have to restart DA and also use the "da build rewrite_confs" command afterwards.

 

[Mika Sarmantti]

Which IPv4? Shared IP which is what we use for client's DNS settings. Or Server IPv4?
As mentioned, currently the setup is I've clicked the Shared IPv4 and chosen to link it with IPv6, and it is not working. I did have couple hours on Server IPv4 Linked to IPv6, which also didn't work.

 

[Richard G]

Which IPv4? Shared IP which is what we use for client's DNS settings. Or Server IPv4?

So you use 2 different ipv4's? Well that makes life a bit more difficult, but then you also have multiple ipv6 right?
Anyway, if you want an ipv6 linked to client's DNS settings, then you have to link that with the ipv4 you're using for that.

So if I read correctly then to the shared ip.

We only have 1 ipv4 and use that as both server and shared ip and link the ipv6 to that.

currently the setup is I've clicked the Shared IPv4 and chosen to link it with IPv6

You mean you choose to link the ipv6 with the shared ipv4.
When I click on my ipv4 in Evo skin, then on the details tab I see status and /32 netmask and xx users (because I use server ip as shared ip).
And then there is also a tab visible which says Linked IP(s), when I click that, then there the ipv6 I want to use for my customers is present in there.

It also reads in there "Added to DNS"->yes and "Added to Apache"->yes.

So if you have that, then you are half way because that is correct.

If it's still not working, did you follow the steps I said about restarting DA and doing the rewrite_confs? If yes, I don't know. Might be you have to do something extra with nGinx.
In that case we have to see if somebody with nGinx knowledge can help, maybe @Zhenyapan or @Ohm J.

 

[Ohm J]

Can you check in nginx template on one of relate domain in "Admin -> Custom HTTPd Configuration".
If option during IP Link tick both the checkbox, then it should apply to nginx/apache template already.


p.s. IP Link have the option to processing in the background task or in-web-request, ensure re-check this option if you want to check in realtime response.

 

[Mika Sarmantti]

Thank you for experient replies.

So you use 2 different ipv4's? Well that makes life a bit more difficult, but then you also have multiple ipv6 right?
Anyway, if you want an ipv6 linked to client's DNS settings, then you have to link that with the ipv4 you're using for that.

So if I read correctly then to the shared ip.

We only have 1 ipv4 and use that as both server and shared ip and link the ipv6 to that.

Yes, we have server address for server businesses, I don't know exact details, as I've never installed this setup and Boss who did didn't excatly explain it, he just mentioned "it needs to be like this to work reliably on Hetzner", so DNS setups for clients use only the Shared IP in their DNS setups.

You mean you choose to link the ipv6 with the shared ipv4.
When I click on my ipv4 in Evo skin, then on the details tab I see status and /32 netmask and xx users (because I use server ip as shared ip).
And then there is also a tab visible which says Linked IP(s), when I click that, then there the ipv6 I want to use for my customers is present in there.

It also reads in there "Added to DNS"->yes and "Added to Apache"->yes.

Shared IPv4 behaves as described above, netmask shows 255.255.255.255 (or /32 if converted), number of users is also shown, and Linked IP's has IPv6 listed and Added to DNS and added to Apache both say yes.
Clicking IPv6 also shows that Status is shared, netmask /64 and number of users. And it has been clicked to be Global. Linked IP's is empty, as I've understood is as it should be.

So if you have that, then you are half way because that is correct.

If it's still not working, did you follow the steps I said about restarting DA and doing the rewrite_confs? If yes, I don't know. Might be you have to do something extra with nGinx.
In that case we have to see if somebody with nGinx knowledge can help, maybe @Zhenyapan or @Ohm J.

Restarting and rewriting configs. After I still get:

curl -I -L -k -6 https://<customer>/.well-known/acme-challenge/<random GUID>.test

> curl: (7) Failed to connect to <customer> port 443 after 3 ms: Couldn't connect to server

 

[Mika Sarmantti]

Can you check in nginx template on one of relate domain in "Admin -> Custom HTTPd Configuration".
If option during IP Link tick both the checkbox, then it should apply to nginx/apache template already.


p.s. IP Link have the option to processing in the background task or in-web-request, ensure re-check this option if you want to check in realtime response.

The httpd.cong template (which I'd say is Apache config from the looks of it), and "nginx.conf proxy" templates both list the IPv6 as being listened. In httpd ports listened are 8080 and 8081 for ssl, and nginx listens ports 80 and 443.

And thanks for info how the background option works. I have had it working in background and given it ~10-15min to process, so hopefully that has been enough in the past when I've tried to solve this issue.

 

[Richard G]

And it has been clicked to be Global.

I don't have this clicked. I don't know if this matters, I never used this and the ipv6 is always added to resellers and all users.

Restarting and rewriting configs. After I still get:

First check your user's DNS. Is the ipv6 added to their DNS or not? If not, then their is the problem.

 

[Mika Sarmantti]

Issue has been resolved, thank you for anyone who wasted their time with this -.-;

Richard's statement on DNS made me nth-check the DNS records, and re-evaluate what I thought I understood how IPv6 works. Along with possibly poorly written, or more likely poorly understood instructions.

In DNS records, it was stated that no ranges allowed, and in example address was ending with ::1, and in some examples where ranges are allowed, the address ends with ::, so I assumed the 0 is sort of wildcard, denoting that "any number in this pair works." and that's what I had set in DA.

In hindsight server configured to expect incoming request from address *:0:0:0:0 should not reply to requests made with with *:0:0:0:1 address.

Changing the DA to expect connections from ::1, solved the issue and I also got sertificates fetched properly. Now to update all clients with correct IPv6 address -.-;

So to reiterate in case anyone comes here later with same issue:
Check that your DNS record matches what you have in Direct Admin.

 

[Richard G]

Changing the DA to expect connections from ::1

Just to get this a bit more clear. Exactly where and waht did you change? Is that in the ip manager that you just put a 1 behind the last colon of the ip you got from Hetzner?
You had set a 0 there before?

 

[Mika Sarmantti]

So initially I had DNS settings set the IPv6 with ::1, and on on DA the IPv6 was with :: (or ::0). Neighboring but very distinct IP's.
Changing DA settings so the IP they are listening to match DNS settings with ::1 solved the issue.

Alternatively when this clicked in my brain, I first working fix was to set DNS to point ::0, which also fixes the issue, as now they are still same address.
Turned out it was much less work to update all customers in DA to use IPv6 in DNS settings, than update every clients every domain from their DNS records in Azure, so I opted to keep the designated IP with ::1 in the end.

So, to really drive the core issue at home, there was nothing wrong with DA, or DNS settings, I had this weird belief and just assumed incorrectly that setting the DA to listen ::0\64 would also include that whole mask range, which would include ::1. In hindsight I have no idea why I had this idea stuck in my brain. Even tho I've not completed that much training in networking, I at least should have known those are just very different addresses =)

 

[DrWizzle]

With my Hetzner servers, the routeable IPv6 address ends in ::2 for the bare metal servers and ::1 for the vps instances even though I have a cidr of /64. (If you're IP locking in your DA client account, it likes a CIDR of /128)

I simply match the ipv6 address that is shown in the rDNS section in the Hetzner Control Panel to the Server IPv6 shown in IP Management, and also what's set up in the networking config to the AAAA records and everything usually works.

Touch wood I've had 0 issues with Hetzner and IPv6 and find it connects better than IPv4 on the multi server setup also.

 

[Richard G]

With my Hetzner servers, the routeable IPv6 address ends in ::2 for the bare metal servers

Ah yes you are correct, we also have ::2 for our dedi's. Good point!