Mastodawn

certbot on Debian Bookworm fails with: The peer didn't know the key we used

https://andreas.scherbaum.la/post/2025-06-09_certbot-on-debian-bookworm-fails-with-the-peer-didnt-know-the-key-we-used/

#LetsEncrypt #Debian #Challenge #Bookworm #Trixie #Certbot #Bind #RFC1918 #Encryption #DNSSEC #ACME #DNS

certbot on Debian Bookworm fails with: The peer didn't know the key we used

Was setting up a new Debian Bookworm system in my home environment. So far I was not using certificates at home, and wanted to change this along the way, using Let's Encrypt. Since the IP-addresses here are RFC1918, I can't use the http01 challenge, and have to resort to dns01 challenges. On Debian Bookworm, using certbot, this fails reproducible.

ads' corner

Show thread

Kevin Karhan

Apr 29

@thermia #CGNAT should be outlawed - espechally when it illegally uses #RFC1918 address space!

Show thread

Kevin Karhan

Apr 25

@landley @jschauma @ryanc @0xabad1dea yeah, the exhaustion problem would've been shoved back with a #64bit or sufficiently delayed by a 40bit number.

Unless we also hate #NAT and expect every device to have a unique static #IP (which is a #privacy nightmare at best that "#PrivacyExtensions" barely fixed.)

I mean they could've also gone the #DECnet approach and use the #EUI48 / #MAC-Address (or #EUI64) as static addressing system, but that would've made #vendors and not #ISPs the powerful forces of allocation. (Similar to how technically the #ICCID dictates #GSM / #4G / #5G access and not the #IMEI unless places like Australia ban imported devices.

I guess using a #128bit address space was inspired by #ZFS doing the same before, as the folks who designed both wanted to design a solution that clearly will outlive them (way harder than COBOL has outlived Grace Hopper)...

Personally I've only had headaches with #IPv6 because not only do I only have #IPv4only #Internet but my #ISP refuses to allocate even a singe /64 to me (but has no problem throwing in a free /29 of #IPv4's in with my contract!)and stuff like #HurricaneElectric / #HEnet's #Tunnelbroker fail face first due to #Geoblocking and the fact that #ASNs get geolocated, not their #PoPs...

If I was @BNetzA I would've mandated #DualStack and banned #CGNAT (or at least the use of CGNAT in #RFC1918 address spaces) as well as #DualStackLite!

Andreas Sikkema Apr 2

Devices that require to be in a specific part of #rfc1918 space, I look down upon you 🤬

sevan Feb 8

TFW someone states an IP address in the 192.169/16 range in their config & leaves you wondering.

@wmd @miqokin also the same Issues are by my own experience are better solved via @torproject / #Tor, @guardianproject 's #Orbot & @micahflee 's #OnionShare just to name a few.

Not to mention most #MobileNetworks illegally use #RFC1918 space like 10.0.0.0/8 for #CGNAT, intentionally bricking #VPN|s in order to force #progessionals and #businesses in way more expensive contracts as they need a "real" VPN for work...

🌈☔🌦️🍄 (@wmd@chaos.social)

@kkarhan@infosec.space @miqokin@denden.world another is protection from your 1st mile provider. Being on broken wifi, or wireless networks that are free but sell your data. Or where they limit your internet access a lot (only http/https allowed). There's plenty of reasons for VPN. Enough to avoid such oversimplified harsh claims. If you do stuff that puts you in the spotlight though, and need internet for it, yes, consider tor, but also do way more research than reading 1 toot. (2/2)

chaos.social

Show thread

Kevin Karhan

Nov 9, 2024

@tschaefer fängt damit an dass bis heute nicht alle #IPv6 haben oder bekommen können...

Bspw.: Verweigert mein #ISP die Bereitstellung von echtem #DualStack. (Deshalb kann ich diesen Post auch nicht direkt aufrufen!)

Umgekehrt sind bis heute nicht alle #Diensteanbieter & Services von #IPv4 auf #IPv6 migriert worden.

#IPv6only ist anders als ein #Windows-Verbot (was #BDSG & #DSGVO eigentlich verlangen!) illusorisch.

Sorgt zwar für Henne-Ei-Problem, wäre aber durch die @BNetzA lösbar indem diese zwangsweise je IPv4 mindestens ein /64 an IPv6 vorschreibt und Bullshit wie #CGNAT [insbesondere mit #RFC1918-Addressraum] verbietet!

Besonders Bullshit wie #DualStackLite ist murks: Entweder korrekt Dual-Stack oder lasst es sein!!!

Thomas Schäfer (@tschaefer@ipv6.social)

@kkarhan@infosec.space Du hast die Behauptung aufgestellt, dass IPv6 only vieles bricken würde. Also was?

ipv6.social

Big Kumera Energy Oct 9, 2024

100.64/10 is not #RFC1918.

Do not commit #RFC7793 & #RFC6598 crimes.

10/8, 172.16/12 and 192.168/16 is enough you do not need the spicy private IPs.

Show thread

Kevin Karhan

Sep 26, 2024

@jue @goetz @fluepke Until you have some #remote workers who only have #CGNAT + pseudo-static #IPv6 addresses on a #consumer line...

Then it's not an option and you'll have to resort to #RFC1918 and #DualStack #WAN-side, as I had to setup for a fmr. employer / client...

Kevin Karhan

Sep 24, 2024

@goetz @fluepke AFAICT, all #MNOs and #MVNOs in #Germany violate #RFC6598 by using #RFC1918 address space ( 10.0.0.0/8) bricking #VPNs that use the same address range instead of using the #CGNAT address space ( 100.64.0.0/10 ).

Sadly, @BNetzA doesn't really care to enforce anything...

https://en.wikipedia.org/wiki/Carrier-grade_NAT
https://en.wikipedia.org/wiki/IPv4_shared_address_space
https://en.wikipedia.org/wiki/Network_address_translation
https://datatracker.ietf.org/doc/html/rfc1918
https://datatracker.ietf.org/doc/html/rfc6598

certbot on Debian Bookworm fails with: The peer didn't know the key we used

🌈☔🌦️🍄 (@wmd@chaos.social)

Thomas Schäfer (@tschaefer@ipv6.social)

Carrier-grade NAT - Wikipedia