I have a Home Assistant (supervisor) installed on a Raspberry Pi 4 with a public IPv6 address and AAAA DNS record set up. I installed the Let’s Encrypt add-on to get a valid certificate via HTTP challenge in October last year. Everything went smoothly as far as I remember.
Now that the certificate validity is coming to an end, I wanted to renew the certificate, but the HTTP challenge now always fails. I think the reason why it fails is that when Let’s Encrypt add-on is started, a docker image is fired up with the following options:
Note the IPv4 0.0.0.0 address. I verified that when the add-on is running, the challenge is served on the IPv4 address of the Raspberry, but no IPv6 port is open.
Is there any way to configure the docker-proxy to open/forward both IPv4 and IPv6 ports?
I have been using IPv6 exclusively only AAAA record for almost 2 years I believe but I use Caddy (now the new Caddy2 addon to HA). I even use DNS domain validation with no issue… maybe look into using that? It should also work with http challenge but I do not want to expose port 80 and I can configure caddy to use the dns challenge for my DNS provider for the domain.
+1 to DNS-01 challenge for generating TLS certs, gets around so many finicky networking issues like this. Does your DNS provider allow for dynamic updates, or at least nsupdate configuration?
I am using a local non-mainstream DNS provider. They do have an API so I could possibly be able to knock up a script that would perform the DNS challenge.
But anyway, to me it looks like it should be a fairly simple exercise to make sure docker (or more specifically docker-proxy) listens on IPv6 (or perhaps on both IPv4 and IPv6) - I would expect this to be a configuration option somewhere. The problem is I am not sure where exactly to look, to me it looks more like a Docker issue rather than a HA/Let’s Encrypt issue, but I am not sure I understand the set-up completely.
If you do end up looking at their API, ask them if you can push DNS updates with “nsupdate”, the “dns-utils” package, or if their software follows the RFC2136 standard, which is the IETF’s standard for dynamic DNS updates. If so, you can keep using the LetsEncrypt addon, you just change your config to have:
dns:
provider: dns-rfc2136
rfc2136_server: [IP or domain name here]
rfc2136_port: '53' [change if they tell you to]
rfc2136_name: '!secret ddns_keyname'
rfc2136_secret: '!secret ddns_secret'
rfc2136_algorithm: '!secret ddns_algorithm'
Only pitfall I had setting this up was that the “algorithm” needs to be in all caps, but most software that generates DDNS keys give it to you in lower case
Thanks, as for RFC2136, unfortunately they don’t support it. I have found certbot plugins for their bespoke API though.
The IPv6 address I am using is static (I have a range assigned by the ISP).
What I don’t understand is that this used to work without any issues last year but for some reason stopped working. I have upgraded both the HA and Docker since then, so it’s a bit hard to investigate who’s to blame here.
I thought this would be a common issue, but well, nevermind, I will work around it, somehow.
