When Your Site’s SSL Works on WiFi but not Cellular

Last night I ran into an interesting error, so I figured I’d make a quick post about what happened to Make Art with Python.

I had an error that kept occurring whenever I’d connect to my site over cellular network in some places.

Each time I’d get an error that Safari couldn’t establish a secure connection.

This was especially frustrating, because whenever I connected via WiFi, I could load my site without any errors at all.

My site was built with Nginx and Letsencrypt on Digital Ocean, so all my certificates should have been up to date and perfect.

It wasn’t until I checked my site using an SSL analyzer that I discovered the problem. My site was refusing connections via IPv6.

Now, that’s especially interesting, because my home ISP doesn’t support IPv6 at all. And it turns out, my cellular provider does in some locations. So anybody trying to access my site over IPv6 wasn’t able to connect at all!

That’s a tough thing to admit, especially after having the site up for almost a month. It seems my default Nginx configuration was missing a directive, with the default Letsencrypt settings for Nginx.

It wasn’t until I added the line:

listen [::]:443 ssl http2 default_server ipv6only=on;

Right after my `listen 443; # managed by Certbot`, that I got IPv6 SSL working. It seems the key directive here was to add the `ssl` in order to have it work properly over IPv6.

This was a great reminder that there can be a lot of edge cases in web applications, and it makes sense to test from multiple devices. I’d enabled IPv6 on my Digital Ocean droplet, but didn’t really have an IPv6 capable computer I could use for testing. Always check before using something new!