Certbot Fails stating "No valid A records found for anthonycregan.dev" when clearly there are

My domain is:

I ran this command:
sudo certbot --nginx

It produced this output:
ertbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: anthonycregan.dev
Type: dns
Detail: no valid A records found for anthonycregan.dev; no valid AAAA records found for anthonycregan.dev

My web server is (include version):
Ubuntu running on raspberry pi (nginx as reverse proxy to express server)

The operating system my web server runs on is (include version):
Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is:
Domain is registered with Namecheap and can be seen to have an "A" record if you use this tool here:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

The online tool https://unboundtest.com/ does not find any DNS A records


Where Let's Debug finds https://letsdebug.net/anthonycregan.dev/1535186 and IPv4 address of which is in the private IPv4 address space and therefor not routable nor reachable from the Public Internet.

A private, inaccessible, IANA/IETF-reserved IP address was found for anthonycregan.dev. Let's Encrypt will always fail HTTP validation for any domain that is pointing to an address that is not routable on the internet. You should either remove this address and replace it with a public one or use the DNS validation method instead. 

DNS Spy report for anthonycregan.dev shows

$ dig +short anthonycregan.dev

That is not a publicly routable ip address.

To issue a certificate to you, Let's Encrypt needs to verify that you own the requested domain name(s). With --nginx option it would entail passing a HTTP-01 challenge, which in turn entails connecting to an ip behind a domain name, which in your case wouldn't be possible.


I have used wget http://anthonycregan.dev and receive back the expected html doc over public internet so it should be accessible.

But from around the world Permanent link to this check report get "Connection timed out".


Did you do that on your own local network?
I bet the machine you did the wget from was also on the same10...*/8 network


Yes it was on the same network.

So you said "

That is not a publicly routable ip address.

What did you mean by that?
I should be able to set my A record to that address and have the domain name resolve to it right?

You can read about that here Private network - Wikipedia


So because my ISP assigned IP starts with 10 I am unable to point a domain name at it becuase its considered a 'private IP' address?

Correct! :slight_smile:


You can point a domain name on it, but that computer is not on the public internet and is not accessible to anyone outside of your ISP's network.

If you only need a website and SSL certificate for use within your ISP's network, you can use the DNS-01 challenge.

If you want your website to be visible to the general public, you will need your ISP to give you a public IP address or use a hosting provider elsewhere.


Well thats not ideal but I appreciate your help - at least I wont be banging my head against this all night in vain. Thanks for everyones help.


Is the IP address from your ISP actually in the range? (I.e., the address on your routers WAN interface.) Or just your local network?

Due to the shortage of public IPv4 addresses, ISPs often turn to carrier grade NAT (CG-NAT) unfortunately.


@ACregan you can check your Public Internet IP Address with

curl -4 ifconfig.co
curl -6 ifconfig.co


curl -4 ifconfig.io
curl -6 ifconfig.io

The -4 is for IPv4 Addresses the -6 is for IPv6 Addresses


Ah OK, that produces

So it could be that all is not lost! If I set it up on my router to traffic connections to that address on ports 80/443 to my pi server then that should fix it should it not?

Yes, that is a significant step forward.
You would need the DNS A record to use that IPv4 Address of,
now if that dynamically changes from time to time the DNS A record needs updating as well.

Also presently both Port 80 and 443 are not OPEN but filtered

$ nmap -Pn -p80,443
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-30 13:08 PDT
Nmap scan report for bb121-6-138-122.singnet.com.sg (
Host is up.

80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.71 seconds

Ive used my routers port forwarding to forward 80 and 443 but its 4:10 in the morning here in singapore and my wife will be very angry if I dont go to bed soon :slight_smile:
I'll pick this up again tomorrow, thank you very much for all your help. I've been stuck on this for days and this finally feels like progress again.


Get a good night's rest. :sleeping_bed: