SSLLabs test reports invalid ipv6 configuration

https://www.ssllabs.com/ssltest/analyze.html?d=home.pke.fyi

The resolved ipv6 is 2a02:908:375:2ce0:0:0:0:0
“Unable to connect to the server”

Warning: Inconsistent server configuration

Both are forwarded via FritzBox on Port 80 to an nginx 1.20.0 instance running and serving the lets encrypt certs.

First I had the updated wrongly configured and it always registered the full ipv6 which then casued the Fritzbox UI to show up on port 80 instead of the forwarded nginx. I have fixed that with the help of this forum already.
Now I hope this issue can also be solved.
Is there any test I can perform to ensure the nginx is actually answering ipv6 requests?

~$ sudo netstat -tulpna | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      9731/nginx: master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      9731/nginx: master
tcp6       0      0 :::80                   :::*                    LISTEN      9731/nginx: master
tcp6       0      0 :::443                  :::*                    LISTEN      9731/nginx: master

2a02:908:375:2ce0:0:0:0:0 is not a valid address. It may show your current prefix. You need to add the host part of your web server.

Apparently you are using a cable connection from Unitymedia (now Vodafone), so you do not have your own ipv4 address unless you have booked one for a fee. Your web server can only be reached via ipv6. You should bear this in mind when specifying the ip addresses for dynv6.

Thanks for your reply!
What do you mean my webserver can only be reached via v6? I am using Fritzbox dyndns service to register the v4 and v6 adresses with dynv6 and it seems to work. Server is reachable from the web just SSL can’t seem to reach it on its v6 address.
I am using the dyndns setting recommended in this forum by specifying only the ipv6 prefix in the updaters URL.

https://dynv6.com/api/update?hostname=<domain>&token=<username>&ipv4=<ipaddr> https://dynv6.com/api/update?hostname=<domain>&token=<username>&ipv6prefix=<ip6lanprefix>

If your internet runs via DSL, your web server can be reached via IPv4 and IPv6. If your internet runs via cable, it looks different. There is only DS-Lite there, as there were no longer enough IPv4 addresses for the cable providers. Then there is no public IPv4 address and your web server cannot be reached via IPv4. Exceptions are additionally chargeable IPv4 addresses (e.g. for business connections) or the Port Control Protocol (PCP).

But if everything goes well, it’s all good.

Your web server can only be reached via IPv4. An nslookup query results in:

nslookup home.pke.fyi 8.8.8.8
Server: UnKnown
Address: 8.8.8.8

Non-authoritative answer:
Name: home.pke.fyi
Address: 2a02: 908: 375: 2ce0 ::
95.223.22.104

There is no host part in the IPv6 address. If you have not already done so, you must create an AAAA entry in your dynv6 zone under “Records”.
Name: home.pke.fyi
Data: ::xxxx:xxxx:xxxx:xxxx

Under “Data” enter the host part of your web server. Your web server seems to be running on Linux. You have to make sure that this creates a static IPv6 address and use this, as privacy extensions usually create a new host part every day. The process is distribution specific. So it’s best to google for “linux ipv6 privacy extensions”.

As soon as the correct IPv6 address is determined with nslookup, the SSLLabs query also works.

Thanks for your comprehensive help here. Thats really new territory for me.
I was thinking the AAAA record was created by the updater script the fritzbox runs?

I have updated the record now to what I could see in the fritzbox for that machine:

Thats the FB info to the machine? Which address is the relevant one?

Its running an Ubuntu 16.04 LTS.
Privacy extensions seem to be enabled:

@htpc:~$ ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:908:375:2ce0:201:2eff:fe1f:c431/64 scope global dynamic mngtmpaddr
       valid_lft 7156sec preferred_lft 3556sec
    inet6 fe80::201:2eff:fe1f:c431/64 scope link
    valid_lft forever preferred_lft forever

Now that’s a lot of things at once. Your internet runs via cable (FRITZ! Box 6490 Cable), probably Vodafone (formerly Unitymedia). Unfortunately, I can’t really help you with that, I can only give you hints.

  • The server you can reach at home.pke.fyi is probably not yours, but Vodafone’s. Goole DS-Lite.

  • Making your server accessible under IPv4 is probably not possible or only possible with additional monthly costs (business connection, booking IPv4 address). Google DS-Lite.

  • The records in your zone:

    • CAA home.pke.fyi letsencrypt.org
      Tells everyone that the SSl certificates must come from letsencrypt.org. Google CAA DNS.

    • 2a02: 908: 375: 2ce0 ::. home.pke.fyi
      This should contain the IPv6 address of your web server. According to your picture 2a02: 908: 375: 2ce0: 201: 2eff: fe1f: c431. Text like “.home.pke.fyi” has no place there.
      Neither will come from the Fritzbox!

  • Search here in the forum for the keyword cable. The first hit could have helped you. (Einrichtung Fritz!Box 6660 Cable - #2 by thorn.st57)

You will have to familiarize yourself with the matter. I don’t think anyone has the time or inclination to do all of this for you. If you want to be available to everyone, you have to somehow get a public IPv4 address from Vodafone. If accessibility via IPv6 is enough for you, you should not configure an IPv4 address in Dynv6. But then the Fritzbox can no longer be used for updating (see Web Server behind FritzBox - #35 by 47906, last post). And you cannot reach the web server via cellular network. And and and…

As you can see, the subject of DS-Lite is not an easy one. Or cheap (business connection, book an IPv4 address).