Problem running apache dual stack IPv4 and IPv6

Question

Problem running apache dual stack IPv4 and IPv6

Hello!

I am running a single Lion-Server with one public IPv4 address. Because my Provider is able to support IPv6 now, I ordered a public IPv6 address for my server. (To learn IPv6)

I setup IPv6 address and setup the firewall with ip6fw - everything works fine, I can connect to ssh and afp via IPv4 or IPv6 but when I try to connect to my wiki over IPv6 I get the certificate question (unknown certificate ... blah) click continue and the certificate is loeded againe - I end up in an infinte loop of certificate questions.

The part of the firewall config looks like this:

20515 allow tcp from any to any 443

20516 allow tcp from any to any 8443

20517 allow tcp from any to any 1640

I looked into apache config:

/etc/apache2/sites/virtual_host_global.conf has this entries:

Listen *:443

NameVirtualHost *:443

Listen *:80

NameVirtualHost *:80

I have only one domain and only one single virtual host as defined in /etc/apache2/sites/0000_any_443_.conf:

## Default Virtual Host Configuration

ServerAdmin admin@example.com

DocumentRoot "/Library/Server/Web/Data/Sites/Default"

DirectoryIndex index.html index.php /wiki/ default.html

CustomLog "/var/log/apache2/access_log" combinedvhost

ErrorLog "/var/log/apache2/error_log"

SSLEngine On

SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"

SSLProxyEngine On

SSLProtocol -ALL +SSLv3 +TLSv1

SSLCertificateFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.cert.p em"

SSLCertificateKeyFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.key.pe m"

SSLCertificateChainFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.chain. pem"

SSLProxyProtocol -ALL +SSLv3 +TLSv1

</IfModule>

Options All +MultiViews -ExecCGI -Indexes

AllowOverride None

DAV Off

</IfModule>

</Directory>

....

</VirtualHost>

I have not modified the apache config by hand until now - but this was an upgrade from Snow Leopard Server. At the moment I am a littel scared to upgrade to Mountain Lion server because this server runs mail and calender services for my company.

I tried to setup "Listen" entry with dedicated IP-addresses, one for IPv4 and one for IPv6 but this only leads to the same problem - IPv4 works, IPv6 ends in an infinte loop.

I found somewhere that I had to duplicate virtual hosts setup for IPv4 and IPv6 but afaik "Server.app" will overwrite it, right?

Every hint is welcome, bye

Christoph

P.S. Sorry just saw that I posted to ML-Server discussions not Lion-Server, but maybe someone can tell me that I can upgrade without scare.

Message was edited by: Christoph Ewering1

Mac mini, Mac OS X (10.7.2)

Posted on Sep 16, 2012 11:56 PM

Reply

Answer 1

Sep 17, 2012 10:19 AM in response to Christoph Ewering1

Just did some testing with fresh installed Moutain Lion Server in a Parallels-VM

It is the same problem - web servers answers for IPv4 and IPv6 at port 80 and with port 443 it gets in trouble as soon as I try to use an IPv6-address at port 443.

I am trapped in an infinite loop being asked for trusting the certificate.

Every help is welcome, bye,

Christoph

Reply

Answer 2

Sep 19, 2012 2:43 PM in response to Christoph Ewering1

Just upgraded to ML Server because I lost iCal server functionality after playing aaround with IPv6 :-( so I thought "well it is broken so fix it" - after the upgrade calendar server works as expected and apache shows the same infinte loop when I try to connect to port 443 via IPv6.

No one running dual stack with Mac OS X Server?

Bye,

Christoph

Reply

Answer 3

Oct 21, 2012 1:32 PM in response to Christoph Ewering1

Hello!

Did some more testing and found that FireFox works with the loopback-address.

https://[::1]/

So, the address above works with FireFox after accepting the certificate - Safari loops in the dialog accepting the certificate.

Then I tried the link-local-address but it looks like apache does not listen to that address at all

Then I tried the global-address and got to:

Safari looping in the certificate dialog

FireFox brings an alert „sec_err_bad_database"

BTW this tests were made on the server that runs the apache. So no firewall between the browser and the server.

No one using Mac OS X server in a dual stack enviroment?

Bye,

eweri

Reply

Answer 4

Oct 22, 2012 6:30 AM in response to Christoph Ewering1

Hello!

I just tried it with chrome and it works! ...

BUT....

1. it takes very long for the page to load, doesn't matter if i connect via IPv4 or IPv6 - hostname works without problems

2. when I connect via IP-addresse (not via hostname) chrome always reports a false certificate, when I connect vi hostname chrome accepts the certificate (selfsigned)

Bye,

Christoph

Reply

Answer 5

Oct 28, 2012 10:58 AM in response to Christoph Ewering1

Hello!

So just to let everybody know - I was able to use chrome at my own MacBook Pro at home.

Safari and FireFox still don´t work but Chrome works flawlessly and fast via IPv6.

So here is my setup:

Server with a public IPv6- and IPv4-address, running a Hurricane-tunnel for my home network. No problem to connect to my wiki with Chrome via IPv6 - but Safari and Firefox loose.

Bye,

Christoph

Reply

Answer 6

Mark23

Level 4

994 points

Oct 28, 2012 11:45 AM in response to Christoph Ewering1

1. Please double check the settings on the server, a wrong subnet may slow down your connection. IPv4 or IPv6 should be no problem for any browser as long as you have set up your interfaces correctly.

2. It is normal for your certificate to be considered false when you are connecting though IP, certificated only use a host name as far as I've seen. In theorie certificated can also be appointed an ip address, but I thing you'd still need the correct domain name. Please buy a certificate or get one free of charge somewhere so you can also use iDevices normally and you won't have an error message when reaching your server from another computer, I know some certificate authorities just like to help out since the process of issuing a certificate is automated.

You can test Safari and Firefox using a HTTP proxy like http://www.ipv6proxy.net

Reply

Answer 7

Oct 29, 2012 12:36 AM in response to Mark23

Hello Mark23!

Thanks for your help, but I think there is a bug in Safari and FireFox. I can connect to any IPv6 web-server over port 80 but as soon as i try SSL i get in trouble with Safari and FireFox.

Chrome works as expected:

- typed in the IPv6-URL

- got a dialog about certificate could not be verified and it would be best to don't go further

- accepting the certificate and I can connect to my wiki

As far as I know I did not change any settings in my apache config - I tried different things, but as they didn't show any difference I removed my changes. So my setup is straight as a default setup from Apple.

Do know a different ssl-enabled IPv6 server that I can test with?

Bye,

Christoph

Reply