Certbot Fails stating "No valid A records found for anthonycregan.dev" when clearly there are

Help
1

My domain is:
anthonycregan.dev

I ran this command:
sudo certbot --nginx

It produced this output:
ertbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: anthonycregan.dev
Type: dns
Detail: no valid A records found for anthonycregan.dev; no valid AAAA records found for anthonycregan.dev

My web server is (include version):
Ubuntu running on raspberry pi (nginx as reverse proxy to express server)

The operating system my web server runs on is (include version):
Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is:
Domain is registered with Namecheap and can be seen to have an "A" record if you use this tool here:
https://toolbox.googleapps.com/apps/dig/#A/

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
2.6.0

2

The online tool https://unboundtest.com/ does not find any DNS A records
https://unboundtest.com/m/A/anthonycregan.dev/L3E5LO7T

2 Likes
3

Where Let's Debug finds https://letsdebug.net/anthonycregan.dev/1535186 and IPv4 address of 10.62.247.114 which is in the private IPv4 address space and therefor not routable nor reachable from the Public Internet.

ReservedAddress
Fatal
A private, inaccessible, IANA/IETF-reserved IP address was found for anthonycregan.dev. Let's Encrypt will always fail HTTP validation for any domain that is pointing to an address that is not routable on the internet. You should either remove this address and replace it with a public one or use the DNS validation method instead.
10.62.247.114
3 Likes
4

DNS Spy report for anthonycregan.dev shows

image
image1100×435 6.1 KB

3 Likes
5 
$ dig +short anthonycregan.dev
10.62.247.114

That is not a publicly routable ip address.

To issue a certificate to you, Let's Encrypt needs to verify that you own the requested domain name(s). With --nginx option it would entail passing a HTTP-01 challenge, which in turn entails connecting to an ip behind a domain name, which in your case wouldn't be possible.

4 Likes
6

I have used wget http://anthonycregan.dev and receive back the expected html doc over public internet so it should be accessible.

7

But from around the world Permanent link to this check report get "Connection timed out".

4 Likes
8

Did you do that on your own local network?
I bet the machine you did the wget from was also on the same10...*/8 network

4 Likes
9

Yes it was on the same network.

So you said "

10.62.247.114

That is not a publicly routable ip address.
"

What did you mean by that?
I should be able to set my A record to that address and have the domain name resolve to it right?

10

You can read about that here Private network - Wikipedia

3 Likes
11

So because my ISP assigned IP starts with 10 I am unable to point a domain name at it becuase its considered a 'private IP' address?

12

Correct! :slight_smile:

4 Likes
13

You can point a domain name on it, but that computer is not on the public internet and is not accessible to anyone outside of your ISP's network.

If you only need a website and SSL certificate for use within your ISP's network, you can use the DNS-01 challenge.

If you want your website to be visible to the general public, you will need your ISP to give you a public IP address or use a hosting provider elsewhere.

5 Likes
14

Well thats not ideal but I appreciate your help - at least I wont be banging my head against this all night in vain. Thanks for everyones help.

2 Likes
15

Is the IP address from your ISP actually in the 10.0.0.0/8 range? (I.e., the address on your routers WAN interface.) Or just your local network?

Due to the shortage of public IPv4 addresses, ISPs often turn to carrier grade NAT (CG-NAT) unfortunately.

4 Likes
16

@ACregan you can check your Public Internet IP Address with

curl -4 ifconfig.co
curl -6 ifconfig.co

and/or

curl -4 ifconfig.io
curl -6 ifconfig.io

The -4 is for IPv4 Addresses the -6 is for IPv6 Addresses

3 Likes
17

Ah OK, that produces

121.6.138.122

So it could be that all is not lost! If I set it up on my router to traffic connections to that address on ports 80/443 to my pi server then that should fix it should it not?

18

Yes, that is a significant step forward.
You would need the DNS A record to use that IPv4 Address of 121.6.138.122,
now if that dynamically changes from time to time the DNS A record needs updating as well.

Edit:
Also presently both Port 80 and 443 are not OPEN but filtered

$ nmap -Pn -p80,443 121.6.138.122
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-30 13:08 PDT
Nmap scan report for bb121-6-138-122.singnet.com.sg (121.6.138.122)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.71 seconds
2 Likes
19

Ive used my routers port forwarding to forward 80 and 443 but its 4:10 in the morning here in singapore and my wife will be very angry if I dont go to bed soon :slight_smile:
I'll pick this up again tomorrow, thank you very much for all your help. I've been stuck on this for days and this finally feels like progress again.

2 Likes
20

Get a good night's rest. :sleeping_bed:

3 Likes