fix IPv6 no longer working.

use reverse proxy on NAS instead.

roles/openhab/tasks/letsencrypt.yml

@@ -10,7 +10,8 @@
     cache_valid_time: "{{apt_config.cache_valid_time}}"
 
 - name: get certificate
-  shell: 'certbot -n run --nginx --agree-tos --email {{letsencrypt_email}} -d {{fqdn}}'
+  shell: 'certbot -n run --nginx --agree-tos --email {{letsencrypt_email}} -d {{fqdn}} --server https://acme-staging-v02.api.letsencrypt.org/directory'
+  #shell: 'certbot -n run --nginx --agree-tos --email {{letsencrypt_email}} -d {{fqdn}}'
 
 
 # - name: cron job

roles/openhab/tasks/main.yml

@@ -16,14 +16,14 @@
   tags:
   - nginx
   - openhab_all
-- include: dynv6.yml
-  tags:
-  - dynv6
-  - openhab_all
-- include: letsencrypt.yml
-  tags:
-  - letsencrypt
-  - openhab_all
+# - include: dynv6.yml
+#   tags:
+#   - dynv6
+#   - openhab_all
+# - include: letsencrypt.yml
+#   tags:
+#   - letsencrypt
+#   - openhab_all
 - include: scripts.yml
   tags:
   - scripts

roles/openhab/tasks/nginx.yml

@@ -17,7 +17,7 @@
      mode: "u=rwx,g=r,o=r"
   notify: restart nginx
 
-- stat: path=/etc/letsencrypt/live/schnidrig.dynv6.net/fullchain.pem
+- stat: path=/etc/letsencrypt/live/{{fqdn}}/fullchain.pem
   register: letsencrypt_cert
   
 - name: overwrite nginx config for letsencrypt initialization

roles/openhab/templates/nginx.conf.j2

@@ -3,12 +3,6 @@
 server {
     listen                          [::]:80 ipv6only=off;
     server_name                     {{fqdn}};
-    return 301                      https://$server_name$request_uri;
-}
-
-server {
-    listen                          [::]:443 ipv6only=off ssl;
-    server_name                     {{fqdn}};
 
     # Cross-Origin Resource Sharing
     add_header 'Access-Control-Allow-Origin' '*' always;
@@ -16,16 +10,6 @@ server {
     add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
     add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
 
-    # certificate
-    ssl_certificate                 /etc/letsencrypt/live/schnidrig.dynv6.net/fullchain.pem;
-    ssl_certificate_key             /etc/letsencrypt/live/schnidrig.dynv6.net/privkey.pem;
-    ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers                     EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;
-    ssl_prefer_server_ciphers on;
-    ssl_dhparam                     /etc/nginx/ssl/dhparam2048.pem;
-    ssl_ecdh_curve secp384r1;
-    # check settings with: https://www.ssllabs.com/ssltest/analyze.html?d={{fqdn}}
-
     location / {
         proxy_pass                              http://localhost:8080/;
 	    proxy_redirect				            http:// https://;
@@ -57,8 +41,4 @@ server {
 
     }
 
-    location /.well-known/acme-challenge/ {
-        root                                    /var/www/html;
-    }
-
 }

roles/openhab/templates/nginx.conf.letsencrypt.j2

@@ -0,0 +1,68 @@
+
+# This is a config that can be used with letsencrypt and a DNS name with IPv6 pointing directly to raspi (no reverse-proxy on NAS)
+# In order to use it, replace nginx.conf.j2 with this.
+
+
+# redirect http to https
+server {
+    listen                          [::]:80 ipv6only=off;
+    server_name                     {{fqdn}};
+    return 301                      https://$server_name$request_uri;
+}
+
+server {
+    listen                          [::]:443 ipv6only=off ssl;
+    server_name                     {{fqdn}};
+
+    # Cross-Origin Resource Sharing
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow_Credentials' 'true' always;
+    add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
+    add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
+
+    # certificate
+    ssl_certificate                 /etc/letsencrypt/live/{{fqdn}}/fullchain.pem;
+    ssl_certificate_key             /etc/letsencrypt/live/{{fqdn}}/privkey.pem;
+    ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers                     EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;
+    ssl_prefer_server_ciphers on;
+    ssl_dhparam                     /etc/nginx/ssl/dhparam2048.pem;
+    ssl_ecdh_curve secp384r1;
+    # check settings with: https://www.ssllabs.com/ssltest/analyze.html?d={{fqdn}}
+
+    location / {
+        proxy_pass                              http://localhost:8080/;
+	    proxy_redirect				            http:// https://;
+        proxy_buffering                         off;  # openHAB supports non-buffering specifically for SSEs now
+        proxy_set_header Host                   $http_host;
+        proxy_set_header X-Real-IP              $remote_addr;
+        proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto      $scheme;
+        proxy_read_timeout                      3600;
+
+        auth_basic                              "Openhab";
+        auth_basic_user_file                    /etc/nginx/htpasswd;
+     }
+
+    location /logs/ {
+        proxy_pass                              http://localhost:9001/;
+        sub_filter_once                         off;
+        sub_filter_types                        text/html;
+        sub_filter                              'href="/' 'href="/logs/';
+        sub_filter                              'src="/' 'src="/logs/';
+        sub_filter                              "path: '/socket.io'" "path: '/logs/socket.io'";
+
+        proxy_http_version                      1.1;
+        proxy_set_header                        Upgrade $http_upgrade;
+        proxy_set_header                        Connection "upgrade";
+
+        auth_basic                              "Openhab";
+        auth_basic_user_file                    /etc/nginx/htpasswd;
+
+    }
+
+    location /.well-known/acme-challenge/ {
+        root                                    /var/www/html;
+    }
+
+}

roles/openhab/templates/nginx.init.conf.j2

@@ -1,7 +1,7 @@
 server {
     listen                          [::]:80 ipv6only=off;
     listen                          [::]:443 ipv6only=off ssl;
-    server_name                     schnidrig.dynv6.net;
+    server_name                     {{fqdn}};
 
     ssl_certificate                 /etc/nginx/ssl/nginx.crt;
     ssl_certificate_key             /etc/nginx/ssl/nginx.key;