| [20:26:43] | * hefring has joined #aegir |
| [20:27:20] | * mutin-sa has joined #aegir |
| [03:28:02] | * shaneonabike has joined #aegir |
| [03:34:42] | <shaneonabike> | hey folks. I was wondering if anyone has a functional aegir/nginx with ipv6 working? I seem to be having some strange issue whereby iv6 isn't going through. I checked and ufw is allowing hte traffic through |
| [03:49:27] | <bgm[m]> | <shaneonabike "hey folks. I was wondering if an"> yep, I do |
| [03:49:46] | <bgm[m]> | <bgm[m] "yep, I do"> what kind of error/behaviour are you getting? |
| [03:49:50] | <shaneonabike> | bgm[m]: out of the box? |
| [03:50:04] | <shaneonabike> | Seems at though ipv6 (let's encrypt) cannot go through |
| [03:50:16] | <shaneonabike> | SSLLabs also indicates that the connection is not open |
| [03:50:33] | <shaneonabike> | But UFW says it is and (as far as I can tell) aegir is deploying it properly? |
| [03:50:56] | <shaneonabike> | bgm[m]: thoughts? |
| [03:51:39] | <bgm[m]> | we override the nginx vhost in `provision_symbiotic`, so I'm not 100% sure.. but it might help debugging? |
| [03:52:03] | <shaneonabike> | bgm[m]: ok... suggestions for debugging? |
| [03:52:08] | <bgm[m]> | https://github.com/coopsymbiotic/provision_symbiotic/blob/master/tpl/cus... |
| [03:53:18] | <bgm[m]> | i'm not sure what else to suggest. I've had issues sometimes with LE where the challenge goes on ipv4 and responds on ipv6, or something like that.. but haven't seen it recently. I would force IP_VER=6 or IP_VER=4 in the /var/aegir/config/letsencrypt/config |
| [03:53:36] | <shaneonabike> | ok |
| [03:53:42] | <shaneonabike> | bgm[m]: the certificate actually is fine |
| [03:53:55] | <shaneonabike> | bgm[m]: it's that when connecting through SSL ipv6 it doesn't work |
| [03:54:21] | <shaneonabike> | but let's encrypt was failing before tho |
| [03:54:26] | <shaneonabike> | bgm[m]: but i fixed it |
| [03:55:25] | <bgm[m]> | what's the URL? |
| [03:56:08] | <shaneonabike> | lebongoutfraisdesiles.com |
| [03:57:11] | <bgm[m]> | Connexion à lebongoutfraisdesiles.com (lebongoutfraisdesiles.com)|2600:3c04::f03c:91ff:fe9e:83cc|:80… connecté. |
| [03:57:11] | <bgm[m]> | requête HTTP transmise, en attente de la réponse… 404 Not Found |
| [03:57:28] | <shaneonabike> | bgm[m]: which means? |
| [03:57:34] | <shaneonabike> | the page was not found right? |
| [03:57:37] | <bgm[m]> | seems to connect, but the vhost is not correctly configured |
| [03:57:44] | <bgm[m]> | right |
| [04:00:49] | <shaneonabike> | strange |
| [04:00:55] | <shaneonabike> | i'm just using aegir as is without changes |
| [04:01:27] | <shaneonabike> | oh strange |
| [04:01:37] | <shaneonabike> | looks like there are two server entries for server port 80 |
| [04:01:44] | <shaneonabike> | one for let's encrypt and another |
| [04:02:00] | <shaneonabike> | server { |
| [04:02:00] | <shaneonabike> | listen *:80; |
| [04:02:00] | <shaneonabike> | server_name _; |
| [04:02:00] | <shaneonabike> | location / { |
| [04:02:00] | <shaneonabike> | return 404; |
| [04:02:00] | <shaneonabike> | } |
| [04:02:00] | <shaneonabike> | } |
| [04:02:12] | <shaneonabike> | bgm[m]: but that's not the default therefore kinda not valid right? |
| [04:04:09] | <bgm[m]> | that's missing a `[::]:80`, but it's probably not the issue here |
| [04:04:14] | <bgm[m]> | check the vhost for your domain? |
| [04:04:25] | <shaneonabike> | shoooot! |
| [04:04:28] | <shaneonabike> | bgm[m]: server { |
| [04:04:28] | <shaneonabike> | listen *:443 ssl http2; |
| [04:04:39] | <shaneonabike> | bgm[m]: that's the issue... but how come the vhost didn't add ipv6 |
| [04:05:04] | <shaneonabike> | bgm[m]: it should be [::]:443 right |
| [04:06:26] | <shaneonabike> | bgm[m]: i don't really get the *:443 vs [::]:443 constraint |
| [04:06:39] | <shaneonabike> | well i get that [::] provides ipv6 but i don't get the * breaker |
| [04:07:02] | <bgm[m]> | * is for ip4, and [::] is for ipv6 |
| [04:07:08] | <bgm[m]> | * `*` is for ip4, and [::] is for ipv6 |
| [04:07:28] | <bgm[m]> | (I'm on riot.im and I don't know how the formatting looks like on IRC) |
| [04:07:31] | <shaneonabike> | soo technically i need two listens |
| [04:07:38] | <shaneonabike> | haha |
| [04:07:42] | <shaneonabike> | looks fine |
| [04:07:51] | <bgm[m]> | listen <?php print "*:{$https_port} {$ssl_args}"; ?>; |
| [04:07:52] | <bgm[m]> | listen <?php print "[::]:{$https_port} {$ssl_args}"; ?>; |
| [04:07:57] | <bgm[m]> | that's what we use in provision_symbiotic |
| [04:08:12] | <shaneonabike> | yeah just like the mian aegir |
| [04:08:16] | <shaneonabike> | should i log this as a bug? |
| [04:08:38] | <shaneonabike> | or a feature in hostmaster |
| [04:08:48] | <bgm[m]> | probably |
| [04:09:12] | <shaneonabike> | bgm[m]: ok thanks A LOT |
| [04:09:45] | <shaneonabike> | bgm[m]: btw how were you able to actually test ipv6 |
| [04:10:00] | <bgm[m]> | wget -6 |
| [04:10:05] | <shaneonabike> | ok nice |
| [04:15:40] | <shaneonabike> | bgm[m]: still not working :/ |
| [04:23:07] | <shaneonabike> | bgm[m]: well wget is not responding but now the certificate is https://www.ssllabs.com/ssltest/analyze.html?d=lebongoutfraisdesiles.com... |
| [04:37:52] | <shaneonabike> | Ok reported https://www.drupal.org/project/hostmaster/issues/3078431 |
| [04:37:53] | <hefring> | https://www.drupal.org/project/hostmaster/issues/3078431 => IPv6 [#3078431] => 0 comments, 1 IRC mention |
| [04:54:53] | <bgm[m]> | cool, subscribed to it, happy to review patches |
| [05:38:13] | * shaneonabike has left #aegir () |
| [05:38:33] | * shaneonabike has joined #aegir |
| [06:49:33] | * shaneonabike has quit (Ping timeout: 244 seconds) |
| [07:12:31] | * shaneonabike has joined #aegir |
| [07:19:06] | * shaneonabike has left #aegir () |
