Certbot failed to authenticate! going in circles.. its definitely my fault

My domain is: mcleangradeandfill.com aggregateflyer.com aggregate-flyer.com

I ran this command: sudo certbot --apache -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.


1: aggregate-flyer.com
2: aggregateflyer.com
3: heavy-spec.ddns.net
4: mcleangradeandfill.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):


An RSA certificate named heavy-spec.ddns.net already exists. Do you want to
update its key type to ECDSA?


(U)pdate key type/(K)eep existing key type: u


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/heavy-spec.ddns.net.conf)

It contains these names: heavy-spec.ddns.net

You requested these names for the new certificate: aggregate-flyer.com,
aggregateflyer.com, heavy-spec.ddns.net, mcleangradeandfill.com.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/(C)ancel: e
Renewing an existing certificate for aggregate-flyer.com and 3 more domains

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: aggregate-flyer.com
Type: dns
Detail: no valid A records found for aggregate-flyer.com; no valid AAAA records found for aggregate-flyer.com

Domain: aggregateflyer.com
Type: dns
Detail: no valid A records found for aggregateflyer.com; no valid AAAA records found for aggregateflyer.com

Domain: heavy-spec.ddns.net
Type: dns
Detail: no valid A records found for heavy-spec.ddns.net; no valid AAAA records found for heavy-spec.ddns.net

Domain: mcleangradeandfill.com
Type: dns
Detail: no valid A records found for mcleangradeandfill.com; no valid AAAA records found for mcleangradeandfill.com

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.6 LTS

My hosting provider, if applicable, is: self served

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

Im not sure where ive got the wires crossed.. any tips on where to look? Thank you for reading!

1 Like

You are attempting to obtain certificates using an HTTP-01 challenge with domains that have only private IPs. That willl never work. You need to either use publicly accessible IP addresses or consider switching to the DNS-01 challenge.

7 Likes

And to add to Links post: with these private IP addresses configured, nobody on the public internet can reach your website at all, not just Let's Encrypt. As in: no visitors possible.

4 Likes

Thank you for the super quick help! Really appreciate this. I was digging around thinking I had some directory misaligned.

The way I have this setup is through a free service called no IP. They register these domains and I have a little server running off my office internet connection. I don't see much traffic as this is just a small local business site. 5-10 views a day. Basically a single page site.

Would the solution be to use a public IP? ( I didn't know there were 2 types :exploding_head:) If so, what's the easiest way to track that down?

The DNS challenge seems to require access to - a records , which I don't believe I can edit.

Thank you again,
Chris

1 Like

The DNS-01 challenge requires access to TXT records. Your A records are what are currently incorrect and they are used by the HTTP-01 challenge that is currently failing.

I'm not sure how you have misconfigured your No-IP account, but it would normally register your public IP in your A record. You might want to start by troubleshooting that, since it is going to prevent public access to your site.

You can check your current public IP many ways. Visiting a site like this is one.

I will also caution that your hosting strategy is suboptimal, especially considering your experience level. You are inviting a security incident into your home network.

You will be a lot safer hosting your site on someone else's infrastructure in a datacenter.

4 Likes

I should add. All this trouble started about a month ago when I cleaned up the servers file directory. Cleaned out a bunch of files and folders that were old. Also simplified the directory structure. This is why I assumed I had broken some file structure dependency with certbot..

Originally I redirected the 3 domains to the no IP hosted site, heavy-spec.ddns.net, which then redirected to my IP for the little server in the office. This all worked good for years, until recently. I thought I could make it all simpler by just giving the no ip name servers my servers ip and skipping the middle redirect to heavy-spec.ddns.net.

The websites all appear to work, if you skip the security warning.

Chris

They may work from your LAN, but I can assure you that no one on the internet can reach them.

4 Likes

Really appreciate the direction. Ive atleast got a new direction to dig.

I know the self hosting is not the safest or best. I really want to figure this type of networking out, so I just kinda brute force my way through it. So much to learn.

One day, if I'm lucky, I'll figure it out. Surely by then, all the standards will have changed and I'll need to restart.

Thanks
Chris

1 Like

It's all starting to make sense..

When I did the earlier mentioned purge of files and redirects I also changed from the auto update "duc" utility that no IP offers in favor of just manually updating the IP as needed. I was having issues getting it to post the correct IP to the nameserver at noip.

This also correlated with Google analytics changing, so I haven't been watching the traffic at all recently..

I have had a private website for a while it seems.

Can't thank you enough for taking time to help me with this.

3 Likes

RFC-1918 IP addresses are much like...
Using an internal telephone extension as your public phone number.

  • John Smith
  • Telephone number: Extension 1234

No one outside your own building telephone system will ever be able to call you.

3 Likes