On this page
Symptoms
Certificate/key pairs cannot be imported in the server any more, and the certificate check output looks like this:
== Setup ======================================================================= ==== setting up work directory... ok ==== setting up environment... ok ==== starting server.../tmp/certificates_check_o2g5S6 /data/bin /data/bin ok ==== waiting for server to be up.... ok == Test 1: connection and certificate validation =============================== getaddrinfo: Name or service not known Using default temp DH parameters ACCEPT 0 items in the session cache 0 client connects (SSL_connect()) 0 client renegotiates (SSL_connect()) 0 client connects that finished 0 server accepts (SSL_accept()) 0 server renegotiates (SSL_accept()) 0 server accepts that finished 0 session cache hits 0 session cache misses 0 session cache timeouts 0 callback cache hits 0 cache full overflows (128 allowed) socket: Connection refused connect:errno=22 openssl s_client exited with code 1 ==== Test 1 FAILED == Test 2: data transfer ======================================================= curl: (7) couldn't connect to host curl exited with code 7 cmp: EOF on /tmp/certificates_check_o2g5S6/test_1.out ==== Test 2 FAILED == Cleanup ===================================================================== ==== stopping server... ok data transfer error ==== stopping background jobs... ok ==== removing work directory... ok
Cause
An OpenSSL function used to check for certificate validity erroneously requires IPv6 to be enabled on the loopback interface. Check whether IPv6 is enabled by running the ip addr ls command; if IPv6 is enabled, the output will look like this:
1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever ...
On the other hand, if IPv6 is disabled, the output of ip addr ls will look like this:
1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo ...
In this case, certificate validation will always fail, and you will need to apply the workaround.
Workaround
Re-enable IPv6 on the server and reboot it.
Resolution
None yet.