Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems

rana@rana:~$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: tukka.online


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for tukka.online

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: tukka.online
Type: dns
Detail: no valid A records found for tukka.online; no valid AAAA records found for tukka.online

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Name:    tukka.online
Address: 192.168.100.4

The Internet isn't able to reach that IP.
You won't be able to validate your cert request via HTTP without using a valid Internet routable IP.

4 Likes

any solution here

Update you DNS to use a public IP like @rg305 indicated in the previous reply.

See these test results for more information.

If the host where you are running certbot is not accessible from the public internet, you won't be able to obtain a certificate using the method you have selected.

If you cannot make that site available from the internet, you will need to use the DNS-01 challenge instead.

4 Likes

Hi @Rana,

From the machine you are wanting to use Certbot on
you can check what the Internet visible IP Address are with:

curl -4 ifconfig.me
curl -6 ifconfig.me

and/or

curl -4 ifconfig.co
curl -6 ifconfig.co

and/or

curl -4 ifconfig.io
curl -6 ifconfig.io

And then adjust your DNS A Records and AAAA Records (if any) to match.

Edit
Presently this is what I see for DNS Records.

2 Likes

Let's back up a minute.

What are you going to use the cert for?

If to secure a public website, then you'll need to change the IP so the public can reach your site.
If to secure a private website, then why use a public cert that expires every 90 days?
[instead, you could use a self-signed cert that can expire whenever you like]

Although the IP has changed:

Name:    tukka.online
Address: 192.168.2.64

It is still non-routable.
See: RFC-1918
[TLDR; You can't use IPs from 192.168.0.0/16 over the Internet]

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.