IPv6 only, can't connect to itself

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 29.0.5): 29.0.2 (Nextcloud AIO v9.0.1)
Operating system and version (eg, Ubuntu 29.04): Arch
Apache or nginx version (eg, Apache 2.4.25): AIO
PHP version (eg, 8.3): AIO

The issue you are facing:

With only AAAA records pointing to my server, administration / overview shows

    Could not check that the data directory is protected. Please check manually that your server does not allow access to the data directory. To allow this check to run you have to make sure that your webserver can connect to itself. Therefor it must be able to resolve and connect to at least one its `trusted_domains` or the `overwrite.cli.url`.
    Your webserver is not set up to serve `.js.map` files. Without these files, JavaScript Source Maps won't function properly, making it more challenging to troubleshoot and debug any issues that may arise.
    Could not check for JavaScript support via any of your `trusted_domains` nor `overwrite.cli.url`. This may be the result of a server-side DNS mismatch or outbound firewall rule. Please check manually if your webserver serves `.mjs` files using the JavaScript MIME type. To allow this check to run you have to make sure that your webserver can connect to itself. Therefor it must be able to resolve and connect to at least one its `trusted_domains` or the `overwrite.cli.url`.
    Could not check if your web server properly resolves the OCM and OCS provider URLs. To allow this check to run you have to make sure that your webserver can connect to itself. Therefor it must be able to resolve and connect to at least one its `trusted_domains` or the `overwrite.cli.url`.
    Could not check that your web server is properly set up to allow file synchronization over WebDAV. Please check manually. To allow this check to run you have to make sure that your webserver can connect to itself. Therefor it must be able to resolve and connect to at least one its `trusted_domains` or the `overwrite.cli.url`. For more details see the documentation ↗.
    Could not check that your web server serves `.well-known` correctly. Please check manually. To allow this check to run you have to make sure that your webserver can connect to itself. Therefor it must be able to resolve and connect to at least one its `trusted_domains` or the `overwrite.cli.url`. For more details see the documentation ↗.
    Could not check for WOFF2 loading support. Please check manually if your webserver serves `.woff2` files. To allow this check to run you have to make sure that your webserver can connect to itself. Therefor it must be able to resolve and connect to at least one its `trusted_domains` or the `overwrite.cli.url`. For more details see the documentation ↗.
    Could not check that your web server serves security headers correctly. Please check manually. For more details see the documentation ↗.

while with A records all checks pass. The server is otherwise fully operational with or without A records.

Is this the first time you’ve seen this error? (Y/N): Y although didn’t try IPv6-only before

Steps to replicate it:

  1. remove A records
  2. wait for DNS to propagate
  3. refresh administration / overview

The output of your Nextcloud log in Admin > Logging:

The logs are currently full of unrelated errors due to recent network outage (firewall misconfiguration to be precise). During the testing period of 2 days, a single kind of message repeated over and over:

{"reqId":"2p0sBVro45MMrPO9h4PB","level":3,"time":"2024-06-25T21:26:11+00:00","remoteAddr":"","user":"--","app":"richdocuments","method":"","url":"--","message":"Failed to fetch discovery: cURL error 7: Failed to connect to nextcloud.<my domain> port 443 after 4 ms: Couldn't connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nextcloud.<my domain>/hosting/discovery","userAgent":"--","version":"29.0.2.2","exception":{"Exception":"GuzzleHttp\\Exception\\ConnectException","Message":"cURL error 7: Failed to connect to nextcloud.<my domain> port 443 after 4 ms: Couldn't connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nextcloud.<my domain>/hosting/discovery","Code":0,"Trace":[{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php","line":158,"function":"createRejection","class":"GuzzleHttp\\Handler\\CurlFactory","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php","line":110,"function":"finishError","class":"GuzzleHttp\\Handler\\CurlFactory","type":"::","args":[["GuzzleHttp\\Handler\\CurlHandler"],"*** sensitive parameters replaced ***",["GuzzleHttp\\Handler\\CurlFactory"]]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlHandler.php","line":47,"function":"finish","class":"GuzzleHttp\\Handler\\CurlFactory","type":"::","args":[["GuzzleHttp\\Handler\\CurlHandler"],"*** sensitive parameters replaced ***",["GuzzleHttp\\Handler\\CurlFactory"]]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":142,"function":"__invoke","class":"GuzzleHttp\\Handler\\CurlHandler","type":"->","args":["*** sensitive parameters replaced ***","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/Http/Client/DnsPinMiddleware.php","line":123,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php","line":35,"function":"OC\\Http\\Client\\{closure}","class":"OC\\Http\\Client\\DnsPinMiddleware","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":31,"function":"__invoke","class":"GuzzleHttp\\PrepareBodyMiddleware","type":"->","args":["*** sensitive parameters replaced ***","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php","line":71,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":66,"function":"__invoke","class":"GuzzleHttp\\RedirectMiddleware","type":"->","args":["*** sensitive parameters replaced ***","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/HandlerStack.php","line":75,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":333,"function":"__invoke","class":"GuzzleHttp\\HandlerStack","type":"->","args":["*** sensitive parameters replaced ***","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":169,"function":"transfer","class":"GuzzleHttp\\Client","type":"->","args":["*** sensitive parameters replaced ***","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":189,"function":"requestAsync","class":"GuzzleHttp\\Client","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/Http/Client/Client.php","line":230,"function":"request","class":"GuzzleHttp\\Client","type":"->","args":["*** sensitive parameters replaced ***","https://nextcloud.<my domain>/hosting/discovery",["/mnt/ncdata/files_external/rootcerts.crt",5,[true],["Nextcloud Server Crawler","gzip"],true]]},{"file":"/var/www/html/custom_apps/richdocuments/lib/Service/DiscoveryService.php","line":75,"function":"get","class":"OC\\Http\\Client\\Client","type":"->","args":["https://nextcloud.<my domain>/hosting/discovery",[5,[true]]]},{"file":"/var/www/html/custom_apps/richdocuments/lib/Service/CachedRequestService.php","line":75,"function":"sendRequest","class":"OCA\\Richdocuments\\Service\\DiscoveryService","type":"->","args":[["OC\\Http\\Client\\Client"]]},{"file":"/var/www/html/custom_apps/richdocuments/lib/Backgroundjobs/ObtainCapabilities.php","line":52,"function":"fetch","class":"OCA\\Richdocuments\\Service\\CachedRequestService","type":"->","args":[]},{"file":"/var/www/html/lib/public/BackgroundJob/Job.php","line":80,"function":"run","class":"OCA\\Richdocuments\\Backgroundjobs\\ObtainCapabilities","type":"->","args":[null]},{"file":"/var/www/html/lib/public/BackgroundJob/TimedJob.php","line":102,"function":"start","class":"OCP\\BackgroundJob\\Job","type":"->","args":[["OC\\BackgroundJob\\JobList"]]},{"file":"/var/www/html/lib/public/BackgroundJob/TimedJob.php","line":92,"function":"start","class":"OCP\\BackgroundJob\\TimedJob","type":"->","args":[["OC\\BackgroundJob\\JobList"]]},{"file":"/var/www/html/cron.php","line":176,"function":"execute","class":"OCP\\BackgroundJob\\TimedJob","type":"->","args":[["OC\\BackgroundJob\\JobList"]]}],"File":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php","Line":210,"message":"Failed to fetch discovery: cURL error 7: Failed to connect to nextcloud.<my domain> port 443 after 4 ms: Couldn't connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nextcloud.<my domain>/hosting/discovery","exception":[],"CustomMessage":"Failed to fetch discovery: cURL error 7: Failed to connect to nextcloud.<my domain> port 443 after 4 ms: Couldn't connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nextcloud.<my domain>/hosting/discovery"},"id":"667c7488ee27f"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'one-click-instance' => true,
  'one-click-instance.user-limit' => 100,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'check_data_directory_permissions' => false,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'nextcloud-aio-redis',
    'password' => '',
    'port' => 6379,
  ),
  'passwordsalt' => '',
  'secret' => '',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'nextcloud.<my domain>',
  ),
  'datadirectory' => '/mnt/ncdata',
  'dbtype' => 'pgsql',
  'version' => '29.0.2.2',
  'overwrite.cli.url' => 'https://nextcloud.<my domain>/',
  'dbname' => 'nextcloud_database',
  'dbhost' => 'nextcloud-aio-database',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_nextcloud',
  'dbpassword' => '',
  'installed' => true,
  'instanceid' => '',
  'maintenance' => false,
  'loglevel' => 2,
  'log_type' => 'file',
  'logfile' => '/var/www/html/data/nextcloud.log',
  'log_rotate_size' => '10485760',
  'log.condition' => 
  array (
    'apps' => 
    array (
      0 => 'admin_audit',
    ),
  ),
  'preview_max_x' => '2048',
  'preview_max_y' => '2048',
  'jpeg_quality' => '60',
  'enabledPreviewProviders' => 
  array (
    1 => 'OC\\Preview\\Image',
    2 => 'OC\\Preview\\MarkDown',
    3 => 'OC\\Preview\\MP3',
    4 => 'OC\\Preview\\TXT',
    5 => 'OC\\Preview\\OpenDocument',
    6 => 'OC\\Preview\\Movie',
    7 => 'OC\\Preview\\Krita',
    0 => 'OC\\Preview\\Imaginary',
  ),
  'enable_previews' => true,
  'upgrade.disable-web' => true,
  'mail_smtpmode' => 'smtp',
  'trashbin_retention_obligation' => 'auto, 30',
  'versions_retention_obligation' => 'auto, 30',
  'activity_expire_days' => '30',
  'simpleSignUpLink.shown' => false,
  'share_folder' => '/Shared',
  'one-click-instance.link' => 'https://nextcloud.com/all-in-one/',
  'upgrade.cli-upgrade-link' => 'https://github.com/nextcloud/all-in-one/discussions/2726',
  'updatedirectory' => '/nc-updater',
  'htaccess.RewriteBase' => '/',
  'files_external_allow_create_new_local' => true,
  'trusted_proxies' => 
  array (
    0 => '127.0.0.1',
    1 => '::1',
    10 => '172.18.0.1/32',
  ),
  'allow_local_remote_servers' => true,
  'overwritehost' => 'nextcloud.<my domain>',
  'overwriteprotocol' => 'https',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => '',
  'mail_domain' => '<my domain>',
  'mail_smtphost' => '',
  'mail_smtpport' => '465',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '',
  'mail_smtppassword' => '',
  'mail_smtpsecure' => 'ssl',
  'default_phone_region' => 'AT',
  'davstorage.request_timeout' => 3600,
  'dbpersistent' => false,
  'appsallowlist' => false,
  'preview_imaginary_url' => 'http://nextcloud-aio-imaginary:9000',
  'maintenance_window_start' => 100,
  'preview_imaginary_key' => '',
  'auth.bruteforce.protection.enabled' => true,
  'ratelimit.protection.enabled' => true,
);

The output of your Apache/nginx/system log in /var/log/____:

AIO

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

see above

you can reach these URLs from within the container?

tldr: w/ A yes, w/o no

Just tried again, with A record:

64cfc070877d:/var/www/html# curl -I 'https://nextcloud.<domain>/hosting
/discovery'                                                                     
HTTP/2 200                                                                      
alt-svc: h3=""; ma=2592000                                                
content-type: text/xml                                                          
date: Thu, 27 Jun 2024 17:30:16                                                 
last-modified: Thu, 27 Jun 2024 17:30:16                                        
server: Caddy                                                                   
x-content-type-options: nosniff
content-length: 31609

64cfc070877d:/var/www/html# ping nextcloud.<domain>
PING nextcloud.<domain> (<public ip>): 56 data bytes
64 bytes from <public ip>: seq=0 ttl=42 time=0.750 ms
64 bytes from <public ip>: seq=1 ttl=42 time=0.764 ms
^C
--- nextcloud.<domain> ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.750/0.757/0.764 ms

after removing them and a minute later:

64cfc070877d:/var/www/html# curl -I 'https://nextcloud.<domain>/hosting/discovery'
curl: (7) Failed to connect to nextcloud.<domain> port 443 after 9 ms: Couldn't connect to server
64cfc070877d:/var/www/html# ping nextcloud.<domain>
PING nextcloud.<domain> (<public ipv6>): 56 data bytes
ping: sendto: Network unreachable
64cfc070877d:/var/www/html# ping -4 nextcloud.<domain>
ping: bad address 'nextcloud.<domain>'

Docker doesn’t support IPv6 by default. Did you added IPv6 support to your system?

you can check using curl ipv6.google.com or any other IPv6-only website…

from my notes (bare with if it’s outdated) change /etc/docker/daemon.json to:

{
"userland-proxy": false,
"ipv6": true,
"fixed-cidr-v6": "fd00:beef:beef::/48",
"experimental": true,
"ip6tables": true
} 

restart docker daemon, create a bridge network with IPv6 support and have fun!

UPDATE: I’m running separate CODE container but it works as well:

# check local CODE IPv6 connectivity 
docker compose exec app curl --ipv6 -I 'https://collabora.mydomain.tld/hosting/discovery' -v
*   Trying [fd00:feed:beef:1::5]:443...
* Connected to collabora.mydomain.tld (fd00:feed:beef:1::5) port 443 (#0)
# check google IPv6 connectivity 
docker compose exec app curl --ipv6 -I 'https://ipv6.google.com' -v
*   Trying [2a00:1450:400a:800::200e]:443...
* Connected to ipv6.google.com (2a00:1450:400a:800::200e) port 443 (#0)

Thanks for pointing this out and in retrospect I feel stupid! After following

and

to enable IPv6 for Docker and recreate the Docker network with IPv6 support, the container got an IPv6 address and can connect to anything, also to itself.

1 Like