Certbot Fails stating "No valid A records found for anthonycregan.dev" when clearly there are

@Bruce5051 I don't think those sites like ifconfig.co are going to work with CG-NAT, as the "sender" IP address from the TCP connection is modified by the ISP from the address to one of the IP addresses from the ISP itself. And that IP address is the one ifconfig.co will detect. So it can't distinguish between a "real" public IP address on the router of a customer or the public IP address used by the ISP to carry out CG-NAT.


@Osiris true if the IP Address is CG-NAT, but I am not certain that their router's DHCP isn't just giving them the address. Thanks! :slight_smile:

I know they said, but I question if that is truly accurate.


Me neither, we need to hear from OP for that. I just wanted to point out those sites don't necessarily mean OP is not behind CG-NAT.


Absolutely, and I am glad you brought it up. :slight_smile:


Nice catch here!


Yes, this produces:

I added port forwarding settings to my router so I will try again to request a cert, I will also ensure (using my mobile connection - outside of my local network) that I can connect to my local server

I'll report back with my findings


@ACregan I see you've added an AAAA RR to your domain name. Unfortunately it contains the Link-Local Unicast IPv6 address (starting with fe80::) instead of a publicly routable one.

Does your server have other IPv6 addresses configured? Usually IPv6 is not part of CG-NAT as there's no shortage of IPv6 addresses.

Note that fixing the IPv6 issue above might let you get a cert issued by Let's Encrypt (as it prefers IPv6), but if your IPv4 is behind CG-NAT, your site would only be accessible to IPv6 enabled visitors.



I tried using curl -6 ifconfig.co but got this error:

curl: (7)Couldnt connect to server

I assume this is an issue with my pi/ubuntu server not being configured for IPv6.

Or your ISP doesn't provide IPv6 connectivity? Of course I'm not familiar with your ISP or your exact setup, but most of the time IPv6 should "just work".

In any case, adding a link-local IPv6 address to an AAAA DNS record isn't very useful as that would only work from the internal LAN (and being link-local, not even always then..).


I thought I had everything setup ready to be certified but it seems I was inside my local network all along (within private ip range) so I'll try to configure my modem and router to enable forwarding to the hosting device on my network before trying again, thanks to everyone for the help. This is a great resource thanks to the kind folk here who went out of their way to assist me, its been super useful. Thanks again


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.