Can't obtain a cert even after paying for domain

I see. Im sorry for the misinformation. Thanks for correcting me.. They,re on the server, but i cannot import them into my browser.

I did find my extenal ip 164.153.58.248. I take it that still won't matter because of CGNAT?

Ill be moving by Dec 14th, so ill put this to rest till then.. Thanks for pointing out those verification sites..

1 Like

Are they being served by the web server? Shouldn't need to import anything into the browser.

3 Likes

I am assuming that is the IPv4 Address of the machine running the browser, correct?

1 Like

yes thats' correct

1 Like

Correct.

1 Like

Are they being served by the web server?

I assume so. I don't know how to confirm that... Do you have a command to enter?

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

1 Like

Thanks, I appreciate the help Bruce5051

2 Likes

Does HTTP:THAT_IP reach your server?
I doubt it.

2 Likes

Yes..
gary@nextcloud:~$ dig +short myip.opendns.com @resolver1.opendns.com
164.153.58.248

I can't connect to that IP address on any port. It seems to belong to WC Tel (West Carolina Tel), but I can't find anything about carrier grade NAT for that ISP. Also whois 164.153.58.248 doesn't tell me much either.

Besides the curl OpenDNS command, how did you find your external IP address? To know for sure, you should check the WAN IP address of the modem which is connected to whatever connection WCTel is providing to your home.

3 Likes

and the opendns from the server directly

I think it's the cert, as the picture above notes, "The website does not supply ownership information."

I'm going to take my server over to my daughter's house tomorrow. She has Vyve broadband, which i had before when my certs worked. Delete the cert the run:
"sudo certbot --apache" and see if it creates one. I'll update this thread after doing so..

Thanks for your input...

1 Like

Why would you delete the certificate for goodness sake? There are better ways to check the connectivity, no reason to delete a perfectly fine certificate!

Also, the notion "The website does not supply ownership information" is expected from a DV certificate, as it's not an OV certificate. So no issue there: it's not an error of any kind. That's perfectly fine.

4 Likes

Because I am currently trying the DNS01 challenge and it doesn't seem to work. I'll remove the txt record from the dns management on godaddy and just create a regular cert the way i know works...

So you've managed to get a certificate using the dns-01 challenge successfully? (Four of them apparently...) Why would that lead to your conclusion "and it doesn't seem to work"? Problems with your network connectivity, either being CG-NAT or something much more simpler as missing NAT portmaps in your CPE, would not have been magically fixed by getting a cert using the dns-01 challenge. (Unless your ISP would be blocking port 80, but allowing port 443, but we probably would have seen that earlier already.)
So I fail to see the relationship between those conclusions you seem to have. And thus I don't see why removing a perfectly fine cert would help your connectivity issue? Nor debugging it. You can use the staging server with a different --cert-name to debug the http-01 challenge without deleting the already issued certificate(s).

Also keep the rate limits in mind.

5 Likes

You're right. I'm probably grasping at straws. My server and certs worked fine while on Vyve, i moved to where i am on Wctel where it doesnt work. When i tried to get a new cert, it the certbot info said no A or AAAA record. I searched google and some suggested get a domain, so i bought one. Before that i was just using duckdns which worked fine for me. After buying the domain it still didn;t work, I then started this thread. One of the options were to try using DNS01 challenge. It's not working, so it probably won't due to the CGNAT of Wctel. I'm not going to bother them because ill be moving in a couple weeks to another place that also has Wctel and i'll work with them from that location.

I don't mean to ruffle any feathers. Just doing my best to figure it out. 1st time certs not working, so i have no background in troubleshooting or making it work...

Thank for your input...

1 Like

But that's the incorrect conclusion. Or perhaps I don't understand you correctly. Because it's not the certificate that isn't working: once you've issued one using the dns-01 challenge (which could be automated by the way, possibly giving you a nice wildcard cert if you're interested). That issued cert is just fine. It's your connectivity that's at fault. And no certificate can fix that.

I assume you've checked for NAT portmapping on your own Wctel device? It looks like CG-NAT, but I haven't found definitive proof.

3 Likes

I'll hook up my server to my daughters network tomorrow and see if it just all works without deleting the cert or trying to make a new one. I'll update the thread at that time.. Thanks...

1 Like

You need to review your ISP agreement/bill.
If you are on a CGNAT plan, the external IP you see is shared by many [not for your inbound use].

3 Likes

I will do so after I move to a new location in a couple weeks. Thx

4 Likes