Certbot unable to find ip of domain that is reachable from browser

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hrindustries.zapto.org

I ran this command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-5" --agree-tos --authenticator webroot --email "hemagna.rao@gmail.com" --preferred-challenges "dns,http" --domains "hrindustries.zapto.org" -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for hrindustries.zapto.org
Performing the following challenges:
http-01 challenge for hrindustries.zapto.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain hrindustries.zapto.org
http-01 challenge for hrindustries.zapto.org
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: hrindustries.zapto.org
Type: dns
Detail: No valid IP addresses found for hrindustries.zapto.org
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): openresty/

The operating system my web server runs on is (include version): Debian GNU/Linux 10 (buster) on docker

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Domain from ddns
/etc/letsencrypt.ini :

text = True
non-interactive = True
webroot-path = /data/letsencrypt-acme-challenge
key-type = ecdsa
elliptic-curve = secp384r1
preferred-chain = ISRG Root X1

It is autogenerated by nginxproxymanager

/var/log/letsencrypt/letsencrypt.log : `2021-12-15 04:44:01,040:DEBUG:certbot._internal.main:certbot version: 1.21.0
2021-12-15 04:44:01,042:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2021-12-15 04:44:01,042:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--quiet', '--config', '/etc/letsencrypt.ini', '--preferred-challenges', 'dns,http', '--disable-hook-validation']
2021-12-15 04:44:01,043:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-12-15 04:44:01,120:DEBUG:certbot._internal.log:Root logging level set at 40
2021-12-15 04:44:01,124:DEBUG:certbot._internal.display.obj:Notifying user:

2021-12-15 04:44:01,125:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2021-12-15 04:44:01,125:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2021-12-15 04:44:01,126:DEBUG:certbot._internal.renewal:no renewal failures`

Let's Encrypt needs to be able to connect to your webserver (through the internet), in order to verify you control the domain.

Your domain is in a private, non-routable IP address range:

That's what the error is about.

You will need to give your domain a public, port-forwarded IP address. Or consider a more creative solution to obtain a certificate.


sorry, it seems my server is down. does letsencrypt need server to be up 24/7

To issue or renew a certificate using the HTTP validation method, the server needs to be up, yes.

This isn't the main problem in this situation, though.

Your domain points to the IP address This is a reversed IP address, which would only be accessible from within your private network. Due to the fact it is reserved and non-routeable, nobody on the internet would ever be able to connect to it (including Let's Encrypt).


Well then how do i convert it to a non-reversed ip? also what is a reversed ip? how do i make it public???

"reserved" (not "reversed" - TYPO) IPs are detailed in RFC 1918.
They include common "private" networks like:

All of which are non-routable directly over the Internet.

You can change the IP within your DNS control panel (or however you added it in originally).
You would need to change it to a "real" IP that can be reached by all your Internet clients.
[as well as "handle" the HTTP(S) path along the way]

Note: You need a working HTTP site before you can secure it (via HTTP authentication).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.