New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
On OpenBSD acme.sh fails to tell nc/socat to listen for IPv6 traffic #5065
Comments
Please upgrade to the latest code and try again first. Maybe it's already fixed. |
It looks like |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When the domain requested for issuing/renewal has an AAAA (IPv6) record, Let's Encrypt will proceed using IPv6 connectivity instead of IPv4. Consequently, acme.sh must be told to accept inbound IPv6 connections, but on OpenBSD the
--listen-v6
option doesn't seem to have any effect. Providing a--local-address ...
, whether::/0
or the host's actual IPv6 address, makes no difference either. Instead acme.sh still tells nc/socat to do only IPv4 and fails to accommodate Let's Encrypt's connection attempts, causing the issuing/renewal to fail.Temporarily removing the AAAA record from the domain solves the problem, but this is obviously disruptive and not an acceptable or sustainable solution.
Add.: when the invocation below is running I've confirmed with netstat/fstat that acme.sh is indeed listening on an IPv4 TCP socket, but nothing on IPv6, contrary to what it has explicitly been told to do.
Steps to reproduce
./acme.sh --standalone --listen-v6 --local-address '2601:56:XXXX:XXXX::1234' --httpport 1080 --renew --domain some.domain
Debug log
The text was updated successfully, but these errors were encountered: