Yet another IPv6/reachability issue

Bear with me if this is going to sound like I need to get frustration off my chest but… well.

Only after the certificate had expired for the (static) subdomain I use I learned that my Nextbox was not as reachable as I thought it was… (which is a pain in the back due to HSTS; “luckily”, I have a Windows VM with its included safety-agnostic IE).
The problem of certbot not being able to renew the certificate vanished after I had removed DynDNS and “port forwarding” for IPv6, i.e., the Nextbox is only connected via IPv4 again.

In between, I seriously considered to dump the Nitrokey parts of Nextbox and use the hardware with manually installed Nginx/Nextcloud like in the years before on RPis and Odroid.
Besides, this would also give the opportunity to always have the latest updates thanks to no Docker dependency etc…

Rating A
Running Nextcloud
NOT on latest patch level

I’m actually used to having an A+ at all times. :slightly_frowning_face:

However: I am pretty sure I followed each aspect of the documentation re. IPv6, and more. Still, it was not possible to persuade the FritzBox to use the same IPv6 prefix for the Nextbox and “the Internet”. At least I think I could nail the certbot problem down to this, would fit well with other people’s descriptions.
Also still, the second test says:

“Successfully tested reachability for: nn.nn.nn.nn, but no Nextcloud instance answered!”

So, what does this reachability test do? Is it safe to ignore? Will I have to mark January 24, 2022, in my calendar because then the current certificate is bound to expire again??

All in all, I bought the box because I had hope to reduce maintenance efforts (and because I needed new hardware for my cloud anyway). Sadly, this did not turn out to be true yet.

Hey @lothar,

Yeah, this is bad and we are really sorry, the problem here is a bug in Nextcloud, which just recently got fixed ( we clearly aim to have more Nextcloud updates in the future, but this was really blocking for quite some time now, once the fix makes it into a release, we’ll directly jump at NC22.

The reachability was updated recently to work “better” but still not perfect. Important for you is likely the next update, which I expect in like one week, this will change the certbot certificate verification from a direct connection to a dns-based verification (for guided dynamic dns) which eliminates the need for reachability for certbot renewals.

Nevertheless, the choose-the-right-IPv6-issue is something we currently work on, clearly we also got to be better here, the central issue here are the countless different network configurations that have to be considered and we are working on improving the situation here step by step.