Error while trying to renew certs


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain (and 3 other subdomains) pointed to my wan IP with DDNS.

I ran this command: certbot renew --dry-run

It produced this output:
For every cert. it produce this output. It was fine previously.

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for Skipping.

My web server is (include version): HAProxy - nginx/apache

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


According to your domains DNS records:

$ host has address is not a public IPv4 address, this is “Shared Address Space” used for (for example) carrier-grade NAT. From user perspective, these addresses are similiar to RFC1918-defined reserved subnets (,, - they cannot be used for services on the Internet.

If you are sure that you have public IP address for your own (not shared with other people - your provder may have just decided to use NAT to spare IP addresses), then your ISP may be translating this IP 1:1 to public one somewhere in their infrastructure - and your dynamic DNS client got confused, because it simply took IP address assigned to your WAN interface (which is different from your public IP address).


Yesterday I saw that my IP changed. In fact if I use it gives me another one, so you must be right. The solution is to ask my service provider to change this feature or there are other way of solving this? Thanks


A post was split to a new topic: Problem with renewal: Incorrect validation certificate for tls-sni-01 challenge


It depends. If you are able to access your webserver using IP shown by “what’s my IP” sites, then fixing this problem is only a matter of changing dynamic DNS client/provider (to something which changes A record to IP address “seen” by dynamic DNS provider as source of connection from your server, instead of relying on address reported by client-side software).

If not, you’ll have to contact your service provider. Note that if your provider has started to use NAT, then they may be facing IPv4 addresses shortage (and may want to charge you additionally for providing you with public IPv4 address for your server) - but they could also opted to use NAT to simplify their network internal configuration.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.