Welcome to Centmin Mod Community
Register Now

SSL Letsencrypt Problem with Acme tool

Discussion in 'Domains, DNS, Email & SSL Certificates' started by vandelay, Mar 5, 2019.

  1. vandelay

    vandelay New Member

    14
    0
    1
    Mar 4, 2019
    Ratings:
    +3
    Local Time:
    2:41 AM
    1.15.9
    Hi. I've been running Centmin Beta on this Centos 7 Linode server for over a year. No problem with anything. Everything vanilla.

    Yesterday I've been trying to add a new site and noticed an error with getting a new let's encrypt cert. So I tried to renew a certificate for a site that I already have on this server and I know it's currently running properly with SSL, only to get this error:

    Code:
    [10:58][user@unhype tools]# ./acme.sh/acme.sh --renew-all
    [Tue Mar  5 10:58:48 UTC 2019] Renew: 'unhype.com'
    [Tue Mar  5 10:58:48 UTC 2019] Multi domain='DNS:unhype.com,DNS:www.unhype.com'
    [Tue Mar  5 10:58:48 UTC 2019] Getting domain auth token for each domain
    [Tue Mar  5 10:58:48 UTC 2019] Getting webroot for domain='unhype.com'
    [Tue Mar  5 10:58:48 UTC 2019] Getting new-authz for domain='unhype.com'
    [Tue Mar  5 10:58:49 UTC 2019] The new-authz request is ok.
    [Tue Mar  5 10:58:49 UTC 2019] Getting webroot for domain='www.unhype.com'
    [Tue Mar  5 10:58:49 UTC 2019] Getting new-authz for domain='www.unhype.com'
    [Tue Mar  5 10:58:50 UTC 2019] The new-authz request is ok.
    [Tue Mar  5 10:58:50 UTC 2019] Verifying: unhype.com
    [Tue Mar  5 10:58:54 UTC 2019] unhype.com:Verify error:Fetching https://unhype.com/.well-known/acme-challenge/some-hash-DWQOIJDIOWQJDJWQ: Connection refused
    [Tue Mar  5 10:58:54 UTC 2019] Please check log file for more details: /user/centminlogs/acmetool.sh-debug-log-040319-111738.log
    [Tue Mar  5 10:58:56 UTC 2019] Error renew unhype.com.
    
    You can see at Unhype – Telling It Like It Is that the certificate is still valid but I can't renew it. I had exactly the same error when I was trying to create a new domain.

    I'm not sure if posting the whole log file is secure so I'm posting the error part:
    Code:
    [Tue Mar  5 10:58:53 UTC 2019] original='{
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "Fetching https://unhype.com/.well-known/acme-challenge/some-hash-DWQOIJDIOWQJDJWQ: Connection refused",
        "status": 400
      },
    
    I'd appreciate if anyone could help, thanks :)))

     
    Last edited: Mar 5, 2019
  2. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    As you have been running 123.09beta01 for a year, when was last time you run updater for it ? As 123.09beta01 gets continuous updates and it could just be that your nginx configs are out of date too.

    what is output for command, cmupdate to update 123.09beta01
    Code (Text):
    cmupdate


    Also i see you're running the commands as a user other than root user ? And also running from tools directory and not where Centmin Mod installs acme.sh at /root/.acme.sh. Centmin Mod is intended to run as root user.
    how are you exactly creating that new domain ?
     
  3. vandelay

    vandelay New Member

    14
    0
    1
    Mar 4, 2019
    Ratings:
    +3
    Local Time:
    2:41 AM
    1.15.9
    I am running as root actually I changed the output for security reasons. Just paranoid to show publicly anything that I'm running as root. sorry for the confusion.

    I am updating regularly
    Code:
    cmupdate
    No local changes to save
    Already up-to-date.
    
    I'm creating a new Wordpress vhost using option 22, self-signed = no, let's encrypt, option 4. I'm getting the same error as when trying to renew.
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags

    You can mask real domain name for privacy reasons in outputs.
     
  5. vandelay

    vandelay New Member

    14
    0
    1
    Mar 4, 2019
    Ratings:
    +3
    Local Time:
    2:41 AM
    1.15.9
    Code:
    cat /usr/local/nginx/conf/conf.d/unhype.com.ssl.conf
    
    #x# HTTPS-DEFAULT
     server {
      
       server_name unhype.com www.unhype.com;
       return 301 https://unhype.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2 reuseport;
      server_name unhype.com www.unhype.com;
    
      include /usr/local/nginx/conf/ssl/unhype.com/unhype.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/unhype.com/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/unhype.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/unhype.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/unhype.com/autoprotect-unhype.com.conf;
      root /home/nginx/domains/unhype.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      include /usr/local/nginx/conf/wpincludes/unhype.com/wpcacheenabler_unhype.com.conf;
      #include /usr/local/nginx/conf/wpincludes/unhype.com/wpsupercache_unhype.com.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/wpincludes/unhype.com/rediscache_unhype.com.conf; 
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
     
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args; 
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        #auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/unhype.com/htpasswd_wplogin;   
        include /usr/local/nginx/conf/php-wpsc.conf;
        
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-scripts\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-styles\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/unhype.com/wpsecure_unhype.com.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
     
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/pre-staticfiles-local-unhype.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    
    }
    
    Code:
    curl -I https://unhype.com && curl -I https://www.unhype.com && curl -I http://unhype.com && curl -I http://www.unhype.com
    HTTP/1.1 200 OK
    Date: Tue, 05 Mar 2019 13:01:36 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 104589
    Last-Modified: Tue, 05 Mar 2019 11:35:19 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    ETag: "5c7e5ef7-1988d"
    Server: nginx centminmod
    X-Powered-By: centminmod
    Accept-Ranges: bytes
    
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 05 Mar 2019 13:01:39 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Expires: Tue, 05 Mar 2019 14:01:39 GMT
    Cache-Control: max-age=3600
    X-Redirect-By: WordPress
    Location: https://unhype.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 05 Mar 2019 13:01:39 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: keep-alive
    Location: https://unhype.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 05 Mar 2019 13:01:39 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: keep-alive
    Location: https://unhype.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    My website works with SSL but I can't renew the certificate. It's still valid for 1 month.
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nothing in your nginx vhost config looks out of place to cause the problem so next is the actual debug log you can post to pastebin.com or gist.github.com with sanitized domain/ip info
     
  7. vandelay

    vandelay New Member

    14
    0
    1
    Mar 4, 2019
    Ratings:
    +3
    Local Time:
    2:41 AM
    1.15.9
  8. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ok looking closer i think i see a potential problem - see X-Redirect-By: WordPress that is a redirect by wordpress not nginx
    Code (Text):
    curl -I https://www.unhype.com
    
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 05 Mar 2019 13:01:39 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Expires: Tue, 05 Mar 2019 14:01:39 GMT
    Cache-Control: max-age=3600
    X-Redirect-By: WordPress
    Location: https://unhype.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    

    it's due to incorrect entry at
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
     
       server_name unhype.com www.unhype.com;
       return 301 https://unhype.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2 reuseport;
      server_name unhype.com www.unhype.com;
    

    2nd server{} context's server_name should only list intended main primary redirect non-www version
    Code (Text):
    server {
      listen 443 ssl http2 reuseport;
      server_name unhype.com;
    

    also you need a redirect for https www version of your domain as per Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

    so becomes using temp 302 until you are sure redirects are working then change to 301 permanent redirects
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
    
       server_name unhype.com www.unhype.com;
       return 302 https://unhype.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name www.unhype.com;
    
      include /usr/local/nginx/conf/ssl/unhype.com/unhype.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
       return 302 https://unhype.com$request_uri;
    }
    
    server {
      listen 443 ssl http2 reuseport;
      server_name unhype.com;
    

    restart nginx and php-fpm after editing
    Code (Text):
    nprestart
     
  9. upgrade81

    upgrade81 Member

    295
    17
    18
    Sep 5, 2016
    CH
    Ratings:
    +30
    Local Time:
    8:41 PM
    1.17
    10.3
    same problem here in new fresh install beta 7.2 installer...
     
  10. vandelay

    vandelay New Member

    14
    0
    1
    Mar 4, 2019
    Ratings:
    +3
    Local Time:
    2:41 AM
    1.15.9
    confirmed. when I'm creating a new vhost I'm getting the same problem
     
  11. upgrade81

    upgrade81 Member

    295
    17
    18
    Sep 5, 2016
    CH
    Ratings:
    +30
    Local Time:
    8:41 PM
    1.17
    10.3
    furthermore, if you launch a certificate request you will be in error.
    The tool continues to automatically insert the WWW version in the domain conf file.

    which creates a redirect loop

    Code:
    server {
      listen 443 ssl http2;
      server_name unhype.com www.unhype.com;
    
      include /usr/local/nginx/conf/ssl/unhype.com/unhype.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
       return 302 https://www.unhype.com$request_uri;
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    do you get that with centmin.sh menu option 2 created vhosts too ? or just centmin.sh menu option 22 ones ?
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    i see what you mean with HTTPS default the normal redirect is for non-https non-www + www redirect to https non-www or www site. That't wouldn't cause redirect loop usually by itself unless you changed target https redirect to to primary www version of the domain as wordpress usually defaults to non-www version. So wordpress will redirect https www version to https non-www version itself.

    though it usually shouldn't be an issue for letsencrypt ssl as I tested it just now and it works. I just tested both centmin.sh menu option 2 and 22 and letsencrypt ssl cert issued fine for me.
     
    Last edited: Mar 6, 2019
  15. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    wow found a new tool for letsencrypt checks at Let's Debug - your site ran through the test shows issues with IPv6 AAAA DNS records Let's Debug

    Code:
    ERROR
    unhype.com has an AAAA (IPv6) record (2600:3c03::f03c:91ff:fe2b:5e31) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
    Get http://unhype.com/.well-known/acme-challenge/letsdebug-test: dial tcp [2600:3c03::f03c:91ff:fe2b:5e31]:80: connect: connection refused
    
    Trace:
    @0ms: Making a request to http://unhype.com/.well-known/acme-challenge/letsdebug-test (using initial IP 2600:3c03::f03c:91ff:fe2b:5e31)
    @0ms: Dialing 2600:3c03::f03c:91ff:fe2b:5e31
    @3ms: Experienced error: dial tcp [2600:3c03::f03c:91ff:fe2b:5e31]:80: connect: connection refused 
    I'd remove DNS AAAA IPv6 records for your domain seeing as you haven't configured Nginx to work with IPv6
     
  16. vandelay

    vandelay New Member

    14
    0
    1
    Mar 4, 2019
    Ratings:
    +3
    Local Time:
    2:41 AM
    1.15.9
    wow thanks. Never would've thought about IPv6. Linode added these addresses automatically. I'll try.
     
  17. upgrade81

    upgrade81 Member

    295
    17
    18
    Sep 5, 2016
    CH
    Ratings:
    +30
    Local Time:
    8:41 PM
    1.17
    10.3
    Look at my configuration is with ipv6 and these redirects that have always worked for me, it does not work now?.


    Code (Text):
    #x# HTTPS-DEFAULT
     server {
       listen 80;
       listen [2a00:dcc0:xxxxxx::1]:80;
       server_name domain.net www.domain.net;
       return 301 https://www.domain.net$request_uri;
     }
    
    server {
      listen 443 ssl;
      listen [2a00:dcc0:dead:xxxx::1]:443 ssl;
      server_name domain.net;
      include /usr/local/nginx/conf/ssl/domain.net/domain.net.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-$
    
      return 301 https://www.domain.net$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      listen [2a00:dcc0:dead:xxxx::1]:443 ssl http2 reuseport fastopen=256;
      server_name  www.domain.net;
    
      include /usr/local/nginx/conf/ssl/domain.net/domain.net.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
     
  18. upgrade81

    upgrade81 Member

    295
    17
    18
    Sep 5, 2016
    CH
    Ratings:
    +30
    Local Time:
    8:41 PM
    1.17
    10.3
    I solved by eliminating the second block.
    But if you recertify with the second active block, the letencrypt check domain is again in error.
     
  19. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:41 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    official FAQ item 34
     
  20. upgrade81

    upgrade81 Member

    295
    17
    18
    Sep 5, 2016
    CH
    Ratings:
    +30
    Local Time:
    8:41 PM
    1.17
    10.3
    Hello thanks but we had already used ipv6only in the past and gave problems.

    Because we use the same ipv6 address on all sites