Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide -4 and -6 flags to use IPv4 and IPv6 respectively #1801

Open
1 task done
jsumners opened this issue Jan 6, 2023 · 6 comments · May be fixed by #1984
Open
1 task done

Provide -4 and -6 flags to use IPv4 and IPv6 respectively #1801

jsumners opened this issue Jan 6, 2023 · 6 comments · May be fixed by #1984
Labels
enhancement

Comments

@jsumners
Copy link

jsumners commented Jan 6, 2023

Welcome

  • Yes, I've searched similar issues on GitHub and didn't find any.

How do you use lego?

Binary

Detailed Description

This is related to several issues. A sampling of them are:

What I believe is happening is that lego is attempting to verify the challenge record propagation and strongly preferring IPv6 if it is enabled on the host. If the remote authoritative nameserver is not responding to an IPv6 connection, lego simply loops until the challenge token expires and thus never completes issuing a certificate.

I arrived at this conclusion by starting a certificate issuance, watching the requests (tcpdump -i ${IFACE} udp port 53 | rg acme) to see that outgoing queries for the TXT record are happening to the auth server over IPv6. I then tried the same query myself on both IPv4 and IPv6:

❯ dig @ns-249-c.gandi.net _acme-challenge.example.com txt +yaml
-
  type: MESSAGE
  message:
    type: AUTH_RESPONSE
    query_time: !!timestamp 2023-01-06T14:16:03.573Z
    response_time: !!timestamp 2023-01-06T14:16:03.612Z
    message_size: 109b
    socket_family: INET
    socket_protocol: UDP
    response_address: 217.70.187.250
    response_port: 53
    query_address: 0.0.0.0
    query_port: 43704
    response_message_data:
      opcode: QUERY
      status: NOERROR
      id: 27604
      flags: qr aa rd
      QUESTION: 1
      ANSWER: 1
      AUTHORITY: 0
      ADDITIONAL: 1
      OPT_PSEUDOSECTION:
        EDNS:
          version: 0
          flags:
          udp: 1232
      QUESTION_SECTION:
        - _acme-challenge.example.com. IN TXT
      ANSWER_SECTION:
        - _acme-challenge.example.com. 300 IN TXT "gpHXXn-bXxreJ860cysiinMfymNPPwPnq2aA3rNfdhY"
❯ dig @ns-249-c.gandi.net _acme-challenge.example.com txt +yaml -6

; <<>> DiG 9.16.22 <<>> @ns-249-c.gandi.net _acme-challenge.smurf.pw txt +yaml -6
; (1 server found)
;; global options: +cmd
-
  type: DIG_ERROR
  message: |
    connection timed out; no servers could be reached

Typically, a tool such as this (as shown by the dig usage above) provides a mechanism to indicate the IP stack to use through the switches -4 and -6. If I understand https://pkg.go.dev/net#Dialer correctly, it looks like passing tcp or tcp6 to the network parameter of Dialer.Control is all that is needed in the underlying framework to make these flags possible.

Note, the Gandi nameservers do respond on port 53 over IPv6. My actual problem is something with AT&T's terrible network.
@jsumners jsumners mentioned this issue Jan 7, 2023
Closed
2 tasks
@Saklad5
Copy link

Saklad5 commented Mar 23, 2023
edited

I'm not entirely convinced it is worth adding this1 rather than fixing your network connection.

I can make that request from AT&T's network, at least.

Footnotes

  1. Personally, I'm skeptical of enabling any behavior that would break if everyone finally switched to IPv6-only networks. Even if this made Lego work for you, your Internet connection would still be broken.

@jsumners
Copy link
Author

That's a nonsense approach. We have zero control over what ISPs do. We have 100% control over the software we write.

jsumners added a commit to jsumners/lego that referenced this issue Aug 3, 2023
@jsumners
Add -4 and -6 flags (redo)
8f56380 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by @dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
@jsumners jsumners linked a pull request Aug 3, 2023 that will close this issue
Open
jsumners added a commit to jsumners/lego that referenced this issue Aug 3, 2023
@jsumners
Add -4 and -6 flags (redo)
63e3bcc 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by @dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Aug 4, 2023
@jsumners
Add -4 and -6 flags (redo)
693452c 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by @dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Aug 4, 2023
@jsumners
Add -4 and -6 flags (redo)
eb34a5b 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by @dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Aug 14, 2023
@jsumners
Add -4 and -6 flags (redo)
9fe6f21 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by @dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Aug 25, 2023
@jsumners
Add -4 and -6 flags (redo)
3baabbd 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by @dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Sep 9, 2023
@jsumners
Add -4 and -6 flags (redo)
707cf0d 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by @dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Sep 20, 2023
@jsumners
Add -4 and -6 flags (redo)
619a8dc 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by @dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Sep 20, 2023
@jsumners
Add -4 and -6 flags (redo)
4872e23 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Oct 4, 2023
@jsumners
Add -4 and -6 flags (redo)
158fbda 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Oct 26, 2023
@jsumners
Add -4 and -6 flags (redo)
573020a 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Nov 23, 2023
@jsumners
Add -4 and -6 flags (redo)
6b6a30a 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Jan 19, 2024
@jsumners
Add -4 and -6 flags (redo)
6e04497 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Feb 28, 2024
@jsumners
Add -4 and -6 flags (redo)
d363844 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
jsumners added a commit to jsumners/lego that referenced this issue Mar 31, 2024
@jsumners
Add -4 and -6 flags (redo)
49b5ed5 
This PR is a redo of go-acme#1802. Since that PR has been idle so long,
the branches have diverged quite a bit and it was easier to start
anew.

The work in this PR includes the work originally done by dmke in go-acme#1802.

This PR is to resolve go-acme#1801.
@rnts08
Copy link

rnts08 commented Apr 21, 2024

This would make it possible to use the lego tool when building tailscale networks as well, at the moment it's impossible to use since tailscale doesn't use IPv6. As much as we want v6 isn't available everywhere yet.

@Saklad5
Copy link

Saklad5 commented Apr 21, 2024
edited

This would make it possible to use the lego tool when building tailscale networks as well, at the moment it's impossible to use since tailscale doesn't use IPv6. As much as we want v6 isn't available everywhere yet.

Tailscale uses IPv6 primarily. Not sure what you're talking about.

@rnts08
Copy link

rnts08 commented Apr 21, 2024

This would make it possible to use the lego tool when building tailscale networks as well, at the moment it's impossible to use since tailscale doesn't use IPv6. As much as we want v6 isn't available everywhere yet.

Tailscale uses IPv6 primarily. Not sure what you're talking about.

Their named network (tailnet) doesn't give you quad-A addresses in DNS. So, requesting certificates doesn't work.

@ldez ldez mentioned this issue May 2, 2024
Closed
3 tasks
@ierdelyi
Copy link

ierdelyi commented May 2, 2024

This problem is not solved in LEGO if I understand right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add -4 and -6 flags jsumners/lego
Add -4 and -6 flags jsumners/lego
5 participants
@jsumners @rnts08 @Saklad5 @ldez @ierdelyi