Can't obtain a cert even after paying for domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:gwiz.site

I ran this command:certbot --apache -d gwiz.site

It produced this output:root@nextcloud:/etc/apache2/sites-available# certbot --apache -d gwiz.site
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for gwiz.site

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: gwiz.site
Type: dns
Detail: no valid A records found for gwiz.site; no valid AAAA records found for gwiz.site

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 22.04.1 LTS x86_64

My hosting provider, if applicable, is:(for domain only) godaddy

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): godaddy's dns management

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.32.0

Hello @garyw5709, welcome to the Let's Encrypt community.

Best Practice - Keep Port 80 Open
There is nothing listening on Port 80 (HTTP) nor Port 443 (HTTPS)

$ nmap -Pn gwiz.site
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-01 13:54 PST
Stats: 0:01:45 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 51.50% done; ETC: 13:57 (0:01:39 remaining)
Nmap scan report for gwiz.site (100.81.227.86)
Host is up.
All 1000 scanned ports on gwiz.site (100.81.227.86) are filtered

Nmap done: 1 IP address (1 host up) scanned in 203.25 seconds

Here is what I find with nslookup, nothing jumps out at me.

$ nslookup
> gwiz.site
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   gwiz.site
Address: 100.81.227.86
> set q=ns
> gwiz.site
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
gwiz.site       nameserver = ns25.domaincontrol.com.
gwiz.site       nameserver = ns26.domaincontrol.com.

Authoritative answers can be found from:
ns25.domaincontrol.com  internet address = 97.74.102.13
ns25.domaincontrol.com  has AAAA address 2603:5:2161::d
ns26.domaincontrol.com  internet address = 173.201.70.13
ns26.domaincontrol.com  has AAAA address 2603:5:2261::d
> set q=soa
> gwiz.site
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
gwiz.site
        origin = ns25.domaincontrol.com
        mail addr = dns.jomax.net
        serial = 2022120106
        refresh = 28800
        retry = 7200
        expire = 604800
        minimum = 600

Authoritative answers can be found from:
> server ns25.domaincontrol.com
Default server: ns25.domaincontrol.com
Address: 97.74.102.13#53
> gwiz.site
Server:         ns25.domaincontrol.com
Address:        97.74.102.13#53

gwiz.site
        origin = ns25.domaincontrol.com
        mail addr = dns.jomax.net
        serial = 2022120106
        refresh = 28800
        retry = 7200
        expire = 604800
        minimum = 600
> set q=ns
> gwiz.site
Server:         ns25.domaincontrol.com
Address:        97.74.102.13#53

gwiz.site       nameserver = ns25.domaincontrol.com.
gwiz.site       nameserver = ns26.domaincontrol.com.
> set q=cname
> gwiz.site
Server:         ns25.domaincontrol.com
Address:        97.74.102.13#53

*** Can't find gwiz.site: No answer
> set q=aaaa
> gwiz.site
Server:         ns25.domaincontrol.com
Address:        97.74.102.13#53

*** Can't find gwiz.site: No answer
> set q=a
> gwiz.site
Server:         ns25.domaincontrol.com
Address:        97.74.102.13#53

Name:   gwiz.site
Address: 100.81.227.86
>

The letsencrypt log if it helps:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: gwiz.site
Type: dns
Detail: no valid A records found for gwiz.site; no valid AAAA records found for gwiz.site

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2022-12-01 16:28:30,098:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/2539/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/2539/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-12-01 16:28:30,098:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-12-01 16:28:30,098:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-12-01 16:28:30,300:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/2539/bin/certbot", line 8, in
sys.exit(main())
File "/snap/certbot/2539/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/2539/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
return config.func(config, plugins)
File "/snap/certbot/2539/lib/python3.8/site-packages/certbot/_internal/main.py", line 1441, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/snap/certbot/2539/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/snap/certbot/2539/lib/python3.8/site-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/snap/certbot/2539/lib/python3.8/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/2539/lib/python3.8/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/2539/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/2539/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-12-01 16:28:30,302:ERROR:certbot._internal.log:Some challenges have failed.

I port forward port 80 and 443 to my nextcloud server:

image1277×99 30 KB

I can get to the interface here: https://gwiz.site/nextcloud

@Bruce5051 The error message presented clearly states a DNS problem. So keeping port 80 open is not relevant for now.

@garyw5709 Your domain name resolves to the IP address 100.81.227.86. That is a private IP address range and unfortunately not a public IP address reachable by the internet at large, which is required for succesful validation of your hostname and thus getting a certificate. Is that the actual """public""" IP address provided by your internet service provider? If so, perhaps you're behind CG-NAT?

If you're indeed behind CG-NAT and don't have any means for inbound TCP connectivity, then the only option for validating your hostname to get a certificate with Let's Encrypt is using the dns-01 challenge.

100.81.227.86 is part of this IPv4 Address range
100.64.0.0/10 100.64.0.0–100.127.255.255 4194304 Private network Shared address space[4] for communications between a service provider and its subscribers when using a carrier-grade NAT.

Using the online tool https://letsdebug.net/ the results here Let's Debug

image1052×515 8.03 KB

https://www.rfc-editor.org/rfc/rfc6598.html

From here IANA IPv4 Special-Purpose Address Registry

image1583×165 5.48 KB

image1627×788 38.7 KB

that is the actual ip address coming into my firewall - i had nat turned on, but just turned it off. Let me run certbot again...

Max entries exceeded:
root@nextcloud:/etc/apache2/sites-available# certbot --apache -d gwiz.site
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f1ddd93efa0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

$ nslookup
> server ns25.domaincontrol.com.
Default server: ns25.domaincontrol.com.
Address: 97.74.102.13#53
> gwiz.site
Server:         ns25.domaincontrol.com.
Address:        97.74.102.13#53

Name:   gwiz.site
Address: 100.81.227.86
>

The IPv4 Address 100.81.227.86 not publicly accessible from the Internet because it is part of the Reserved IP addresses; as @Osiris has previously stated above.

So i'm out of luck in getting an ssl cert? Any other options besides paying $75 for an ssl cert outright?

First what are you using these Domain Validation (DV) certificates for?

There is the DNS-01 challenge Challenge Types - Let's Encrypt you could use to get Let's Encrypt Certificates, however nobody from the Internet would be able to access your domain due to the Reserved IP address. Possibly is that is not an issue for you, for many it would be.
No Certificate Authority's Certificate can solve that issue. So spending $75 you still have the same problem.

You probably messed up the connectivity of your host in general, unrelated to Let's Encrypt.

NAT on your own premise is not an issue as long as the proper port maps are in place. NAT is only a problem if it's at your ISP, "CG-NAT".

You need to figure out what IP address the device which connects to your ISP gets.

I'll see what i can find out about it on my end. Thanks for the assist guys...

This IP address is in a range commonly used as CG-NAT space. In this case this is the IP address your ISP assigned to you, but it's not publicy routable. Your ISP employs an additional layer of NAT on their routers. Let's Encrypt cannot connect to that IP.

If you can only use CG-NAT, your site can't be reached from outside your ISP. You can still get a Let's Encrypt cert using the DNS-01 challenge, but the usual default HTTP-01 challenge will not work.

Note also that there are (at least) two methods of getting Google DNS. One (the 'free' one) is not conducive to being "programmed", and that could mean that you will find using DNS-01 difficult unless you are in a position to control a separate DNS server of your own. See https://si.okiefrog.org/ for some material which may be helpful.

I do suggest that you solve one problem at a time ...

I assume with this being nextcloud that you want to access it from anywhere. With CGNAT that is impossible, however if you contact your ISP they might give you a publicly routable address if you ask. Some do this for free, others charge a few dollars a month for one, or they might not do it at all without a business plan.

Unfortunately this is only going to get more widespread with IPv4 exhaustion.

Guys, I tried the DNS challenge to obtain a cert following this short video: https://www.youtube.com/watch?v=VjMRfF7hXIg
I ran this command: sudo certbot --manual --preferred-challenges dns certonly -d gwiz.site
It provided a cert:
certbot certificates

Found the following certs:
Certificate Name: gwiz.site
Serial Number: 3cc2d465a3a319673440ce5fb5720e19b77
Key Type: RSA
Domains: gwiz.site
Expiry Date: 2023-03-03 17:31:34+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/gwiz.site/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gwiz.site/privkey.pem

Created a txt record in my domain management on godaddy:
_acme-challenge.gwiz.site.
with the following value:
ipRQ3i9poBgOwu5pD8klbRllmPoiTWKeGdiNPSjZZWE

Verified it on https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.gwiz.site.

I can reach my server : https://gwiz.site/nextcloud but still no joy in mudville. I can reach the server with the http prefix. the error i get is the uploaded .png file:

Screenshot_2022-12-03_14-50-10880×526 41 KB

Seems i've got a cert but can''t implement it. Did i create the cert wrong? I am running apache. Should i retry with the --apache option? I'm using firefox 107.0.1 (64-bit)..

Or am i beating a dead horse?

Thanks for any assistance......

Using https://crt.sh/ here is a list of issued certificates crt.sh | gwiz.site, the latest being 2022-12-02. So domain name has successfully been issued certificates.

And using https://letsdebug.net/ the domain name is not showing issues with results here Let's Debug

I cannot reach your server nor can the rest of the world using this on line tool https://check-host.net/
as the present IPv4 Address of 100.81.231.60 is still in

After that what did you do with the issued certificates?