Can't generate Certificate DNS problem

gabrielsavian · June 2, 2023, 6:54pm

Hi it's been two weeks that I'm trying to generate a cert with nginx and no success.

My domain is: allesys-back.shop

I ran this command: sudo certbot --nginx -d allesys-back.shop -d www.allesys-back.shop

It produced this output:

Requesting a certificate for allesys-back.shop and www.allesys-back.shop

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: allesys-back.shop
  Type:   dns
  Detail: no valid A records found for allesys-back.shop; no valid AAAA records found for allesys-back.shop

  Domain: www.allesys-back.shop
  Type:   dns
  Detail: no valid A records found for www.allesys-back.shop; no valid AAAA records found for www.allesys-back.shop

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is: certbot 1.21.0

If I run nslookup www.allesys-back.shop I receive:
Server: 192.168.0.1 Address: 192.168.0.1#53
That's correct.

I've added to nginx the domain and I'm able to reach my api using the allesys-back.shop domain.

In my hostinger panel I've already added my ipv4 to A and my ipv6 to AAAA and I still can't generate the cert.
I read loads of topics here with different solutions but not worked for me.
I'm very new to encrypting.

griffin · June 2, 2023, 7:07pm

Welcome to the Let's Encrypt Community, Gabriel!

How is the Let's Encrypt validation server going to reach your server with a private IP address (192.168.0.1)?

griffin · June 2, 2023, 7:10pm

This says it all:

Bruce5051 · June 2, 2023, 7:22pm

Using the online tool https://unboundtest.com/

DNS CAA Record - https://unboundtest.com/m/CAA/allesys-back.shop/NZAFED57
DNS A Record - https://unboundtest.com/m/A/allesys-back.shop/EBOTJQBB
DNS AAAA Record - https://unboundtest.com/m/AAAA/allesys-back.shop/E7H6YUY3

There are no A or AAAA DNS Records, you are trying to use the HTTP-01 challenge of the Challenge Types - Let's Encrypt which requires Port 80 access on the Domain pointing to (directly or indirectly) an IP Address.
If that is not possible the only challenge type available then is the DNS-01 challenge.

danb35 · June 2, 2023, 8:09pm

...and just in case the previous posts aren't clear enough: The problem is that the DNS record for allesys-back.shop points to a private IP address. The Internet at large can't connect to private IP addresses (after all, they're private), and Let's Encrypt needs to be able to connect to your server to validate your control over the domain name. You'll need to either point the domain to a public IP address or use a different method of validation.

rg305 · June 2, 2023, 10:55pm

Why would you wait two weeks before asking for free help?

gabrielsavian · June 3, 2023, 1:22pm

Many thanks for all the replies! You guys are awesome. I didn't asked because I was browsing all the questions before asking. I'll read all the attached links and try to change the IP to the Public one, then I come here to say if I was able to solve the problem. Once again thanks for all your help.

gabrielsavian · June 16, 2023, 2:50pm

Finally I had a different error. I've used the command:

wget -qO- https://ipecho.net/plain ; echo

And gave me the ip 200.53.25.208

Then I added the ip to to hostinger and now I'm receiving:

I disabled the ufw firewall just in case, but everything was allowed.
But when I check the domain in the Network Utility on mac and don't show that my ports are open for the public IP (I read a post from a guy that had the same problem here).
If I set the domain to the private one on hostinger show that the ports are open.
I'm kinda lost on this.

Nekit · June 16, 2023, 3:14pm

You say your hosting provider is Hostinger, but that IP doesn't seem to belong to them. Seems like they're your registrar/DNS provider.

So how exactly is your website hosted? Are there any routers/firewall appliances between the machine and the internet?

gabrielsavian · June 16, 2023, 4:18pm

I'm basically using a mini pc as a server wired to my TP Link Router. I'm using nginx running a Nodejs api.
There is the UFW Firewall, but it's deactivated and even when activated everything is allowed.
My Nginx configs are:

server{
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    index.html index.htm index.nginx-debian.html;

    server_name www.allesys-back.shop;

    location / {
        proxy_pass: http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        try_files $uri $uri/ =404;
    }
}

Yes, my domain provider is Hostinger and my hostinger configs are:

Nekit · June 16, 2023, 4:29pm

Did you forward the relevant ports (80, 443) from your router to your mini pc?

system · July 16, 2023, 4:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.