Page MenuHomeVyOS Platform
Create Task
Maniphest T6368

acme should also be able to listen on IPv6 addresses
Open, LowPublicFEATURE REQUEST
Actions

Description

Hello all

I've build sagitta-epa2 from the sources, a couple of weeks ago (when it still worked). While testing acme I noticed, that it is not possible to listen on the IPv6-address of my router. There are fix addresses configured for ipv4 and ipv6.

manuel@fe73651# set pki certificate my-test-cert acme listen-address 
Possible completions:
   <x.x.x.x>            IPv4 address to listen for incoming connections
   10.0.0.25            
   10.0.0.9             
   10.13.0.1            
   10.13.0.3            
   10.13.0.6            
   10.49.5.1            
   10.49.6.1            
   10.49.7.254          
   127.0.0.1            
   93.90.xx.xx

      
[edit]
manuel@fe73651# run show interfaces ethernet eth0 brief 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             93.90.xxx.xx/32                   u/u  ionos-uplink
                 2001:xxxx:xxxx:337::1/64                
[edit]
manuel@fe73651#
manuel@fe73651# show interfaces ethernet eth0 
 address 93.xx.xxx.89/32
 address 2001:xxxx:xxxx:337::1/64
 description ionos-uplink
 hw-id 00:50:56:1d:xx:xx
 ipv6 {
     address {
     }
     dup-addr-detect-transmits 1
 }
[edit]
manuel@fe73651#

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Improvement (missing useful functionality)

Event Timeline

manuel81 created this task.May 19 2024, 10:01 AM
syncer assigned this task to Viacheslav.May 19 2024, 1:24 PM
syncer triaged this task as Low priority.
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta (1.4.0-epa2).
pasik subscribed.May 19 2024, 4:58 PM
Viacheslav added a comment.May 20 2024, 6:45 AM

Can you manually edit the node and re-check if it will work for acme

sudo nano -c /opt/vyatta/share/vyatta-cfg/templates/pki/certificate/node.tag/acme/listen-address/node.def

replace:

type: txt
help: Local IPv4 addresses to listen on
val_help: ipv4; IPv4 address to listen for incoming connections
allowed: sh -c "${vyos_completion_dir}/list_local_ips.sh --ipv4"
syntax:expression: exec "${vyos_libexec_dir}/validate-value  --exec \"${vyos_validators_dir}/ipv4-address \"  --value \'$VAR(@)\'"; "Invalid value"

to

type: txt
help: Local IPv4 addresses to listen on
val_help: ipv4; IPv4 address to listen for incoming connections

And try to configure IPv6, but need to check if it will really work for acme.
I didn't work with it

manuel81 added a comment.May 20 2024, 8:33 AM

It seems to work basically

manuel@fe73651:~$ configure 
[edit]
manuel@fe73651# sudo host vyosacmev6.dnshome.de
vyosacmev6.dnshome.de has IPv6 address 2001:xxx:xxxx:337::1
[edit]

manuel@fe73651# set pki  certificate vyosacmev6 acme domain-name vyosacmev6.dnshome.de 
Possible completions:
  <Enter>	Execute the current command
      
[edit]
manuel@fe73651# set pki  certificate vyosacmev6 acme domain-name vyosacmev6.dnshome.de 
[edit]
manuel@fe73651# set pki  certificate vyosacmev6 acme email [email protected]
[edit]
manuel@fe73651# set pki  certificate vyosacmev6 acme listen-address 2001:xxx:xxxx:337::1
[edit]
manuel@fe73651# set pki  certificate vyosacmev6 acme url https://acme-staging-v02.api.letsencrypt.org/directory
[edit]
manuel@fe73651# show pki certificate mvr01-srvdns 
 acme {
     domain-name mvr01.srvdns.de
     email [email protected]
     listen-address 2001:xxx:xxxxx:337::1
     rsa-key-size 4096
     url https://acme-staging-v02.api.letsencrypt.org/directory
 }
[edit]
manuel@fe73651# compare 
[pki certificate]
+ vyosacmev6 {
+     acme {
+         domain-name "vyosacmev6.dnshome.de"
+         email "[email protected]"
+         listen-address "2001:xxx:xxxx:337::1"
+         url "https://acme-staging-v02.api.letsencrypt.org/directory"
+     }
+ }

[edit]
manuel@fe73651# 
[edit]
manuel@fe73651# commit
[edit]

manuel@fe73651# run show pki certificate vyosacmev6 pem 
-----BEGIN CERTIFICATE-----
MIIFMjCCBBqgAwIBAgISK5MpHvpX1iVKFiX6OMpy6BYeMA0GCSqGSIb3DQEBCwUA
MFoxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExcoU1RBR0lORykgTGV0J3MgRW5jcnlw
dDEpMCcGA1UEAxMgKFNUQUdJTkcpIENvdW50ZXJmZWl0IENhc2hldyBSMTAwHhcN
.... cutted ;-)
[edit]
manuel@fe73651#

Certbot-Log also seems fine to me

{F4319314}

dmbaturin removed Viacheslav as the assignee of this task.Sep 16 2024, 3:54 PM
dmbaturin added a subscriber: Viacheslav.