Hi,
I normally use certbot-implementation’s dns-challenge to get my certificates installed/renewed on my servers interactively as unfortunatelly my registrar (strato.de) doesn’t offer a DNS-API.
This doesn’t work for my homeassistant installation (installed in a virtual machine with IPv4 and IPv6), therefore I tried to use http-challenge. For this to work I need to redirect port 80 from wan to vm.
I set up following firewall redirect (tested both IPv4 and IPv6 version with the same results below):
config redirect
option name 'WAN-access for HA letsencrypt'
option target 'DNAT'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_ip 'IPv4'
# option dest_ip 'IPv6'
option dest_port '80'
list proto 'tcp'
# option family 'ipv6'
option enabled '1'
And I added a DDNS-job for updating my native IPv6 (only natted IPv4) for my domain <my.tld>
But unfortunately this doesn’t work - I always get the following error-log in homeassistant when trying to issue a certificate:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain:<my.tld>
Type: connection
Detail:<correct external IPv6>
: Fetchinghttp://<my.tld>/.well-known/acme-challenge/7tqKEqwIm49FUyw1jylooMAscB6Kuxj59pJ9fifj8kU
: Connection refused
I think this is some IPv4/IPv6 problem but I cannot figure out what exactly to look for.
What I until now tested:
- I can ping my router IPv6 and the IPv6 of homeassistant vm from outside without issues.
- I can ping my
<my.tld>
without issues (and get the<correct external IPv6>
displayed) - I can access the homeassistant webserver by IPv4 and IPv6 from lan network
- when changing the above redirect from port 80 to port 8123 I can access the homeassistant installation neither via
http://[correct external IPv6]:8123
norhttp://<my.tld>:8123
- when adding a really simple rule like
config rule
option target 'ACCEPT'
option name 'luci WAN-Test'
option src 'wan'
option proto 'tcp'
option dest_port '443'
I cannot access my luci/reforis from outside. This worked without issues with my former provider, that offered both public IPv4 and IPv6.
Any idea?
BR,
ssdnvv