Option to Add Nginx vhost fails to generate LetsEncrypt certificate if domain has AAAA ipv6 address configured about centminmod HOT 3 CLOSED

The fixed nginx conf generated files should include the code in bold for listen statement

listen [::]:80 default_server;
and
listen [::]:443 default_server;

Im just confused how this fix should be used with ${DEDI_IP} var on centminmod script

from centminmod.

nginx template .txt files are currently NOT used as the nginx vhost templates are built into the routine itself. However, historically folks have reported issues with broken IPv6 or unstable IPv6 connectivity from some web hosts configurations which lead to issues only a web host can fix. So Centmin Mod hasn't really setup IPv6 nginx vhosts by default. Instead official Centmin Mod FAQ item 34 has outlined how to setup Nginx IPv6 vhost configs after they're created at https://centminmod.com/faq.html (FYI, I've updated the FAQ item 34 recently to address differences for Nginx <=1.3.4 vs >1.3.4 versions).

It's a tricky thing as everytime a web host's IPv6 network connectivity has issues for whatever reason, unsuspecting end users will think it's a Centmin Mod issue rather than their web hosts. Not all Centmin Mod users are on official community forums or would report the issue too, so they may just think Centmin Mod is buggy and move on to another stack. So I'd be fielding support for something I would have no control to fix. That's historically why Nginx configs are left to IPv4 only and point folks to IPv6 if they want to enable it - guess I could automate that part or put the listen [::]:80 or listen [::]:443 as a commented out option at least.

from centminmod.

Thank you for your reply, after doing some tests i found the following:

When you add a host through menu, the script creates a first dummy (/usr/local/nginx/conf/conf.d/domain.com.conf) config file where the options are listen 80 or listen 443 only instead of adding this too listen [::]:80 or listen [::]:443, then when acmetool asks for LetsEncrypt certificate the LetsEncrypt server does a verify by fetching a file like https://domain.com/.well-known/acme-challenge/PwhOeYje_H2Y5GzH06qRcwLHiJ0WTCctYkop8dJrEZ4 which contains a key previously asked by the script to the LE api to authenticate the process, but since LE uses the IPv6 for http then https, and the dummy template created for domain.com doesnt allow IPv6 on nginx, the process fails.

Perhaps if you just adds the listen [::]:80 or listen [::]:443 to the dummy templates used just for the verification it will work flawless, but im not sure if this could break something.

From what i've read on nginx documentation it's sufficient to specify ipv6only=off in any one of your listen directives once, this could be used on vhost.conf, then you can only enable the IPv6 support by uncomenting the line with the listen [::]:443 to keep it safe to all the users, but using it uncommented by the dummy conf file the LE process needs.

This example directives specify both IPv4 and IPv6 explicitly:

listen [::]:443 default_server;
listen 443 default_server;

from centminmod.