Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BUG? 24.11 ACME IPV6 cloudflare issues, ipv4 not respected?

    Scheduled Pinned Locked Moved ACME
    3 Posts 2 Posters 965 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GPz1100G Offline
      GPz1100
      last edited by GPz1100

      @stephenw10

      Had my first renewal attempt (<30 days remaining) since upgrading to 24.11.

      Using cloudflare dns w/token api for TXT record validation. In the cloudflare dash, under user api tokens, the token used by pfsense/acme has "CLIENT IP ADDRESS FILTERING" enabled. Effectively only certain ip's are valid for this token.

      The attempt failed because only the ipv4 is whitelisted. Pfsense acme made the connection to api.cloudflare.com using ipv6.

      Running curl within the pf shell shows the following. It appears to prefer ipv6 over ipv4 by default. I'm not sure if this is a change in curl behavior or acme, or the setting below (prefer ipv4) is not being applied.

      In pf, under System/Advanced/Networking, Prefer IPv4 over IPv6 is checked. Is acme not validating this setting?

      For now as a workaround i've whitelisted the ipv6 prefix. However my ip's are semi static and do change periodically. Normally just update the new ip in several places that need updating when that happens.

       curl -v https://api.cloudflare.com
* Host api.cloudflare.com:443 was resolved.
* IPv6: 2606:4700:300a::6813:c0af, 2606:4700:300a::6813:c0ae, 2606:4700:300a::6813:c11d, 2606:4700:300a::6813:c0b0, 2606:4700:300a::6813:c01d, 2606:4700:300a::6813:c0b1
* IPv4: 104.19.192.177, 104.19.192.176, 104.19.193.29, 104.19.192.175, 104.19.192.29, 104.19.192.174
*   Trying [2606:4700:300a::6813:c0af]:443...

      EDIT

      I could just add "-4" to line 1878 of https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-acme/files/usr/local/pkg/acme/acme.sh .

      This would be the less elegant solution. Thinking more about this, it's possible previous acme/24.03 didn't encounter this issue because of the way dns presented the ip's and the ipv4 was chosen first.

      Should prefer ipv4 apply to acme?

      A 1 Reply Last reply Reply Quote 0
      • A Offline
        agitelzon @GPz1100
        last edited by

        @GPz1100 I ran into this same exact issue. I don't have the Prefer IPv4 over IPv6 box checked, but I do have IPv6 enabled.

        I think the real issue is that Let's Encrypt's server seems to respond with "Recv failure: Connection reset by peer" on almost every request when using IPv6. I tested this by using the command curl -v https://acme-v02.api.letsencrypt.org/directory from pfsense's shell.

        To work around it, I modified the ACME script as you described. In the file /usr/local/pkg/acme/acme.sh, I updated line 1887 from:

          _ACME_CURL="curl --silent --dump-header $HTTP_HEADER "

        to:

          _ACME_CURL="curl -4 --silent --dump-header $HTTP_HEADER "

        After forcing curl to use IPv4, both certificate registration and renewal from the acme package started working again without issue.

        GPz1100G 1 Reply Last reply Reply Quote 0
        • GPz1100G Offline
          GPz1100 @agitelzon
          last edited by

          @agitelzon I have no issue connecting to LE servers from pf shell. The issue is cloudflare security setting is configured as a whitelist for api zone record changes. The whitelist includes my ipv4 address only, as a /32. As I mentioned, I could add the ipv6 prefix as a /64. Given that pf is configured to prefer ipv4, I thought that would carry over to acme as well.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.