after successfully installing Nextcloud on my Raspberry PI and accessing it locally, I have some issues configuring my Apache2 Webserver to access from externally.
My internet provider is Vodafone and there is only DS-Lite available. So I read that everything must be configured by IPv6.
I have registered a public domain via No-IP and entered my IPv6 address. I have also extended the sites-available page:
<VirtualHost [::]:80>
ServerAdmin xx
ServerName xx
ServerAlias xx
DocumentRoot /var/www/html
<Directory "/var/www/html">
AllowOverride None
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/xx.log
CustomLog ${APACHE_LOG_DIR}/xx.log combined
</VirtualHost>
is the apache really reachable from outside? It means, the port configuration in the FritzBox is important. Instead using certbot, try to use mod_md (mod_md - Apache HTTP Server Version 2.4) to get a valid certificate.
If the hostname already translates to the correct ipv6 address, you can try from outside your network to reach the http-address (since you have configured port 80 as well).
What means hostname translate correct ipv6 address? How to check?
Sry for these stupid questions but I am pretty new in this topic. I have read a lot, but it is not really clear for me.
don’t worry, we all started from scratch too. its a learning process and it may seem daunting at first. just don’t give up and don’t hesitate to ask.
here’s some docs you should take a look at;
especially the part about: CG-NAT (Carrier Grade Network Address Translation) commonly known as DSLite (Dual Stack Lite) offered by many service providers will technically not provide a public IPv4 address.
You have a host outside your network, you can use host mydomain.example.com or nslookup mydomain.example.com (windows), and it should show your ipv6 address.
If that is correct, you can try to establish a connection: curl -v http://mydomain.example.com (Linux, or Win-Powershell)
This should not result in a time out, it should give you either a status 200 or some 30x (redirect).
If you get a time out, then there is likely a problem with the firewall settings of your FritzBox. For ipv6 you don’t need a port forwarding (you don’t forward something of the Fritz’ ip address, on ipv6 the device has it’s own ipv6), so it should be rather the ipv6 firewall setttings. You could expose the whole host or just allow connections on port 443/80.
double check if rebind_protection prevents internal access - if this is the case external access should work if port forwarding is setup right. I have no reference for ipv6 only setup… but for dual-stack port forwarding dialog looks different explicitly showing which protocol is used for specific share (maybe this separation doesn’t exist when only one protocol is active), similar to here:
review topics tagged fritzbox and ipv6 maybe you find useful hints
How should the files /etc/hosts /etc/hostname /etc/resolv.conf look like compared to the entered IPv6 address in the No-Ip configuration? Because currently the IP is not the same. Shoult it be like this?
First of all I would check your DNS settings.
What do you get at https://mxtoolbox.com?
Insert aaaa:yourdomain.com and see what IPv6 you get.
Your Firewall config looks ok.
Maybe check the IPv6 Interface-ID.
I am assuming that Raspberry uses the same network logic as Ubuntu (not sure if that is true).
So there should be 3 IPv6.
First one is a privacy extension enabled IPv6 that is NOT static.
Second one should be static.
Third one should be a link local, which we can not use outside our home network.
Check that your second IPv6 is what you get from mxtoolbox.com and what you have in your Fritzbox firewall rule.
Ok that helped a bit.
The wlan0 showed another Ipv6 compared to the No-Ip settings. After changing the IP at No-Ip I receive the message when opening the webiste “This is not a secure connection”, so one step further.
But in the FritzBox settings the IPv6 Interface ID is different, it is similiar to the second obal> value. Do I have change to something in the FritzBox?
When trying to get the certificate with “sudo certbot -v --apache -d domain”, I always get the message:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for "domain"
Performing the following challenges:
http-01 challenge for "domain"
Waiting for verification...
Challenge failed for domain "domain"
http-01 challenge for "domain"
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: "domain"
Type: connection
Detail: "Ipv6": Fetching http://"domain"/.well-known/acme-challenge/aG-sCW_QZlhjUcbl_1nj5x530Cq_Sba5WdxEegFmxQ8: Error getting validation data
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Cleaning up challenges
Some challenges have failed.
Did you use the second IPv6? The first IPv6 will change if privacy extension is enabled and then you break the connection again.
Since your ISP should give you a static /56 or /48 prefix, you could also just manually assign an IP in that prefix.
For example if your /56 prefix is 2402:9400:1234:12XX::/56 (ask your ISP about your static prefix)
you could use 2402:9400:1234:1200::2 as your static IPv6 for your server. Or 2402:9400:1234:1255::2000 or whatever
My guess would be that you reached the webserver locally but not from remote, since you have the wrong IPv6 on Fritzbox.