Setting up a file_server on my home PC, domain name and IPV6

1. Output of caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

a. System environment:

Ubuntu 20.04.5 LTS

b. Command:

caddy run

c. Service/unit/compose file:

-

d. My complete Caddy config:

localhost {
	file_server
}

www.fhtagn.ch {
	file_server
}

3. The problem I’m having:

I want to access some local web pages on my local machine from the internet. I try to do that using IPv6 as the router from my ISP only allow me to setup ipv6 port forwarding. It’s all new for me so it’s possible I missed some obvious things.
I have a domain name: fhtagn.ch and I setup a DNS zone to the IP of my PC:

www.fhtagn.ch AAAA 2a02:aa13:4680:f580:901d:7581:e887:4b05  TTL 1 h. 	18.11.22 19:26:29

On my router (Sunrise Connect box 2, switzerland) I added this port forwarding rule:

source    Destination                           Protocol  source port  dest port
All  2A02:AA13:4680:F580:901D:7581:E887:4B05/0  UDP/TCP   443:443      443:443

I also opened the 443 port on my PC with UFW

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
443                        ALLOW IN    Anywhere                  
8096                       ALLOW IN    Anywhere                  
443 (v6)                   ALLOW IN    Anywhere (v6)             
8096 (v6)                  ALLOW IN    Anywhere (v6)    

At this point I can access my index file on a web browser on https://localhost/
However I can not access it from another PC within my LAN (https://192.168.1.103/)
And I can not access it from outside on https://www.fhtagn.ch

4. Error messages and/or full log output:

caddy run
2022/11/18 19:28:55.862	INFO	using adjacent Caddyfile
2022/11/18 19:28:55.864	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2022/11/18 19:28:55.864	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2022/11/18 19:28:55.864	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2022/11/18 19:28:55.864	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc000146f50"}
2022/11/18 19:28:55.864	INFO	tls	cleaning storage unit	{"description": "FileStorage:/home/dod/.local/share/caddy"}
2022/11/18 19:28:55.865	INFO	tls	finished cleaning storage units
2022/11/18 19:28:55.877	INFO	pki.ca.local	root certificate is already trusted by system	{"path": "storage:pki/authorities/local/root.crt"}
2022/11/18 19:28:55.877	INFO	http	enabling HTTP/3 listener	{"addr": ":443"}
2022/11/18 19:28:55.877	INFO	http.log	server running	{"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2022/11/18 19:28:55.877	INFO	http.log	server running	{"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2022/11/18 19:28:55.877	INFO	http	enabling automatic TLS certificate management	{"domains": ["kringer.fhtagn.ch", "www.fhtagn.ch", "localhost"]}
2022/11/18 19:28:55.878	WARN	tls	stapling OCSP	{"error": "no OCSP stapling for [localhost]: no OCSP server specified in certificate", "identifiers": ["localhost"]}
2022/11/18 19:28:55.878	INFO	autosaved config (load with --resume flag)	{"file": "/home/dod/.config/caddy/autosave.json"}
2022/11/18 19:28:55.878	INFO	serving initial configuration
2022/11/18 19:28:55.879	INFO	tls.obtain	acquiring lock	{"identifier": "kringer.fhtagn.ch"}
2022/11/18 19:28:55.879	INFO	tls.obtain	acquiring lock	{"identifier": "www.fhtagn.ch"}
2022/11/18 19:28:55.887	INFO	tls.obtain	lock acquired	{"identifier": "www.fhtagn.ch"}
2022/11/18 19:28:55.888	INFO	tls.obtain	obtaining certificate	{"identifier": "www.fhtagn.ch"}
2022/11/18 19:28:55.890	INFO	http	waiting on internal rate limiter	{"identifiers": ["www.fhtagn.ch"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/11/18 19:28:55.890	INFO	http	done waiting on internal rate limiter	{"identifiers": ["www.fhtagn.ch"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/11/18 19:28:55.895	INFO	tls.obtain	lock acquired	{"identifier": "kringer.fhtagn.ch"}
2022/11/18 19:28:55.895	INFO	tls.obtain	obtaining certificate	{"identifier": "kringer.fhtagn.ch"}
2022/11/18 19:28:55.898	INFO	http	waiting on internal rate limiter	{"identifiers": ["kringer.fhtagn.ch"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/11/18 19:28:55.898	INFO	http	done waiting on internal rate limiter	{"identifiers": ["kringer.fhtagn.ch"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/11/18 19:28:57.349	INFO	http.acme_client	trying to solve challenge	{"identifier": "kringer.fhtagn.ch", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/11/18 19:28:57.349	INFO	http.acme_client	trying to solve challenge	{"identifier": "www.fhtagn.ch", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/11/18 19:29:08.410	ERROR	http.acme_client	challenge failed	{"identifier": "www.fhtagn.ch", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Fetching http://www.fhtagn.ch/.well-known/acme-challenge/0k0o0gSUyua4NKMs-knkwV5h7tyWEj9jX7fmVSUjeW8: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}}
2022/11/18 19:29:08.410	ERROR	http.acme_client	validating authorization	{"identifier": "www.fhtagn.ch", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Fetching http://www.fhtagn.ch/.well-known/acme-challenge/0k0o0gSUyua4NKMs-knkwV5h7tyWEj9jX7fmVSUjeW8: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/830373487/145301211957", "attempt": 1, "max_attempts": 3}
2022/11/18 19:29:08.410	ERROR	http.acme_client	challenge failed	{"identifier": "kringer.fhtagn.ch", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Fetching http://kringer.fhtagn.ch/.well-known/acme-challenge/WoYoDz9pLHDiN9lL6PfUcHDWc1ZliGbh99gbrT3lrtU: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}}
2022/11/18 19:29:08.410	ERROR	http.acme_client	validating authorization	{"identifier": "kringer.fhtagn.ch", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Fetching http://kringer.fhtagn.ch/.well-known/acme-challenge/WoYoDz9pLHDiN9lL6PfUcHDWc1ZliGbh99gbrT3lrtU: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/830373487/145301212047", "attempt": 1, "max_attempts": 3}
2022/11/18 19:29:09.788	INFO	http.acme_client	trying to solve challenge	{"identifier": "www.fhtagn.ch", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/11/18 19:29:09.800	INFO	http.acme_client	trying to solve challenge	{"identifier": "kringer.fhtagn.ch", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/11/18 19:29:20.411	ERROR	http.acme_client	challenge failed	{"identifier": "www.fhtagn.ch", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}}
2022/11/18 19:29:20.411	ERROR	http.acme_client	validating authorization	{"identifier": "www.fhtagn.ch", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/830373487/145301293757", "attempt": 2, "max_attempts": 3}
2022/11/18 19:29:20.411	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "www.fhtagn.ch", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:connection - 2a02:aa13:4680:f580:901d:7581:e887:4b05: Timeout during connect (likely firewall problem)"}
2022/11/18 19:29:20.413	INFO	http	waiting on internal rate limiter	{"identifiers": ["www.fhtagn.ch"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2022/11/18 19:29:20.413	INFO	http	done waiting on internal rate limiter	{"identifiers": ["www.fhtagn.ch"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2022/11/18 19:29:20.828	ERROR	http.acme_client	challenge failed	{"identifier": "kringer.fhtagn.ch", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}}
2022/11/18 19:29:20.828	ERROR	http.acme_client	validating authorization	{"identifier": "kringer.fhtagn.ch", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "2a02:aa13:4680:f580:901d:7581:e887:4b05: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/830373487/145301293807", "attempt": 2, "max_attempts": 3}
2022/11/18 19:29:20.828	ERROR	tls.obtain	could not get certificate from issuer	{"identifier": "kringer.fhtagn.ch", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:connection - 2a02:aa13:4680:f580:901d:7581:e887:4b05: Timeout during connect (likely firewall problem)"}
2022/11/18 19:29:20.829	INFO	http	waiting on internal rate limiter	{"identifiers": ["kringer.fhtagn.ch"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2022/11/18 19:29:20.829	INFO	http	done waiting on internal rate limiter	{"identifiers": ["kringer.fhtagn.ch"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2022/11/18 19:29:23.768	INFO	http.acme_client	trying to solve challenge	{"identifier": "www.fhtagn.ch", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2022/11/18 19:29:25.249	INFO	http.acme_client	trying to solve challenge	{"identifier": "kringer.fhtagn.ch", "challenge_type": "http-01", "ca": "https://acme.zerossl.com/v2/DV90"}

5. What I already tried:

Some of the errors above are mentioning firewall problem, I guess it must be from my router. I’m not sure how I should investigate this. I already forwarded the port 443.
It’s not easy to find documentation about an IPV6 setup. As I understand it, as each machine within my LAN have its unique IPV6 address, the traditional IPV4 WAN → LAN IP forwarding should not be mandatory. But for security reason I guess my router dose not allow incoming traffic by default. I’m not sure if I have to open something more than the port redirection I put in place.

Also, I can not access the file server from another machine in my LAN. Is there a config I’m missing to allow that ?

6. Links to relevant resources:

That’s because you only told Caddy to handle requests for the Host localhost and www.fhtagn.ch. You haven’t told Caddy to serve requests by IP address.

You could do that, but it would still use Caddy’s internal CA to issue certificates, so you’d need to install Caddy’s root CA cert to each machine in your local network that would need to connect.

An alternate approach is to run a DNS server in your local network that resolves your domain to your LAN IP for devices inside your network, and ones outside would still use your WAN IP.

You need to allow incoming connections on port 80 to solve the ACME HTTP challenge.

Even HTTPS connections are failing though, so there’s a networking problem between Let’s Encrypt and your Caddy server. You’ll need to figure out that issue.

2 Likes

as the router from my ISP only allow me to setup ipv6 port forwarding.

Is this for real? Do you live in China or Russia?

Ok, I found out how to do that, it’s working now. Thanks

ok, I opened it on UFW, now I have to open it on the router. Apparently the port filtering feature does not work at all. All I can do is disable entirely the router’s firewall, I don’t think it’s a good solution.
After reading some posts on my ISP support forum, they have this “dumbed down” interface for most users and they can activate a real advanced interface with IPv4 features if the client asks them about it. I sent a request for this, I’ll have to wait until monday.

1 Like