Certbot - Failures Authenticating Due to IP Setup and Port Configuration

Please fill out the fields below so we can help you better.

My domain is:nc.hezner.biz

I ran this command:certbot --apache --email hezner@hezner.biz --domain nc.hezner.biz --agree-tos --non-interactive

It produced this output: failed - domain: nc.hezner.biz type: unknown host detail: no valid IP address found for nc.hezner.biz

My operating system is (include version):CentOS7

My web server is (include version):apache PHP 7.1

My hosting provider, if applicable, is:na

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

This machine is behind NAT. I have both port 80 and 443 open. DNS is OK since the site is found OK. I just want to get the security certificate on this server. I would obviously prefer the automated process than manual if possible. Is the reason this fails because of the NAT? Or do I have some other issue that I’m overlooking? This is the first time I’ve tried to use Let’s Encrypt and I need any assistance I can get. Thank you.

Interesting error. One of your name servers respond with:

Name: nc.hezner.biz
Address: 192.168.100.30
Name: nc.hezner.biz
Address: 66.73.190.17

And another with just 192.168.100.30.

192.168.0.0 – 192.168.255.255 is one of the private IPv4 blocks and will not be indeed considered valid.

You can use DNS verification via TXT record, but I would say you’d still need to look into that configuration and sort it out.

Thank you for the suggestion. I’ll make some modifications with which DNS servers show the private IPs so see if that helps.

Thank you for the suggestion about DNS settings. I know I was thrashing trying to make things work and it looks like I did not leave things cleaned up properly. That seems to have taken care of one problem.
I adjusted the DNS to remove the private IP from the public facing DNS servers and am now getting a different error. Now when I run the same certbot --apache command I get the response
domain: nc.hezner.biz
type: connection
detail: failed to connect to 66.73.190.17 for tls-sni-01 challenge
Am I correct in thinking that this is a NAT firewall issue? Incoming I have both port 80 TCP and 443 TCP open on the firewall for this IP and have outgoing all open. I’ll go back and triple check to be sure but in the mean time if anyone has any ideas I certainly appreciate it.

I just double checked do have both tcp 80 and tcp 443 open on the firewall. I still get domain: nc.hezner.biz type: connection detail: Failed to connect to 66.73.190.17 for tls-sni-01 challenge when I run the certbot --apache command (full command listed in original post).
As I noted this server is CentOS 7 and apache with PHP7.1. Is there something else that I need to do in CentOS to open 443? Is there a way I can check to confirm 443 is open OK. I know that 80 is open because I can access the http NextCloud site running on this server.
Any thoughts are appreciated. Thank you.

Hi @pjg51

Port 443 doesn’t seem to be open

Andrei

I’m seeing a “No route to host” error for port 443 but a successful connection for port 80 (!!).

That sounds like a very tricky firewall issue or else a very severe misconfiguration inside an ISP.

Thank you both for the comments. Obviously I need to do a deep dive into the firewall(s). I’m wondering if I have it open on the main service firewall (since that is the firewall I’ve been paying attention to) but perhaps still closed on the firewall at the server. I know that 80 is open all the way in because I can access the NextCloud on 80. It will likely be a couple of days before I can get into it since a totally different project has heated up and will need more hours than I have to meet the deadline. .

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.