IPv6 Best Practice? Any Guide?

Hello all

Nextcloud and NextcloudPi are great projects and was already able to set it up with IPv4 and DuckDNS (DynDNS) on my RPi 4.

But I can’t find anywhere any guide for setup with IPv6. I have searched all sites. Also, the whole admin console is set up for IPv4.

Is there a best practice for dealing with IPv6? How do I make sure the Let’s Encrypt service renews the certificates automatically without IPv4 and port forwarding?

As a computer scientist I knew approximately that I could read out the assigned IPv6 IP addresses via SSH on the RPi and could then access it that way. DynDNS may be bypassed thanks to fixed IPv6 and so I made a AAAA entry in my DNS Zone at the domain registrar.

I can access it via PC browser, but not via mobile browser and do not have a valid certificate yet. I have added the domain as a trusted domain.

I’m not done yet though, as you can see. Can you please make an IPv6 best practice guide somewhere that could also serve beginners?

Best thanks and greetings


The certificate is based on the hostname. So it will be validated only once against your hostname (either ipv4 or ipv6). Normally if you add ipv6 later, it should work without reissuing a certificate.

For ipv6, you have to make sure that packages are forwarded by the router and not blocked by a firewall. So first step would be to try to ping you ipv6 from outside of your network.

Sorry, that’s not nearly enough. But thank you.

Do I need to add trusted domains? What if the certificate expires? There is no IPv6 address on the admin console.
Any NextcloudPi IPv6 documentation anywhere??

You can use the same hostname/domain for ip4 AND ip6. Therefore you can use the same certificate for both. Same applies for trusted domains…

Thank you very much. So everything as with IPv4. Not possible to abandon IPv4.


Looks like it still needs an A Record for Let’s Encrypt service. I have entered that at the domain registrar, and that now goes a few hours until available (tomorrow then, now is time to sleep anyway).

  1. other best practice question: if for some reason I need to reinstall NCP on RPi, should I quickly backup the data from the HD beforehand via NC windows client/program? There are also good open source tools that can read Linux partition.
    (If you reinstall Windows, you will also be asked which partitions you want to delete and which not).

  2. do I need a TXT record at the domain registrar for anything? Or otherwise:
    For IPv6: AAAA/A records only, Port Forwarding (for Let’s Encrypt), Trusted Domain entry, is there anything else? (I don’t need DynDNS, do I? In case of automatic certificate renewal, I can add the temporary IPv4 address as A record in the DNS zone).

Again, thank you very much.

Let’s encrypt has finished full ipv6 support some time ago, dual stack seems to be no problem. Question is ipv6 only, but some report it to be working (https://forum.proxmox.com/threads/lets-encrypt-doesnt-work-on-a-domain-name-ipv6-only.87655/#post-387972). Ideally, just the AAAA record should be ok. I am not sure if that also depends on the certbot if they bind to ipv6 as well. I’d try that first before going through TXT entries.

Dear people

It still does not work. Do I really need IPv4 for Let’s Encrypt service? But ok, I now have both: A and AAAA records at the domain registrar. No DynDNS! As domain I use top-, and second-level domain, like MyGarden.cloud


Any idea? Firewall is completely open. Should I reinstall NCP from the beginning with a new domain?

Trusted Domains Entries:


Thx in advance

question is where the .well-known folder is and if the challenge file is placed properly. Either it’s in the Nextcloud document root or in the webserver config there is a different location specified. Someone who knows NCP better can perhaps help.

One quick thing though, if you check your webserver logs, you can see if there is a permission problem or if it is just file not found.