Failed authorization procedure: unknownHost

#1

My domain is: grafoman.site

I ran this command: # certbot certonly -d 'grafoman.site' --webroot

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for grafoman.site
Using the webroot path /srv/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. grafoman.site (http-01): urn:ietf:params:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for grafoman.site

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: grafoman.site
   Type:   unknownHost
   Detail: No valid IP addresses found for grafoman.site

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx 1.12

The operating system my web server runs on is (include version): Alpine Linux v3.8, https://hub.docker.com/r/linuxserver/letsencrypt

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0


The domain itself has been okay for several years, no registrar or DNS issues, was properly indexed by Google. Now I’m moving away from CloudFlare, HTTP is working fine (DNS A record is probably outdated at time you’re reading this - long story - but once I update it, it’s okay again), but LE fails to issue any cert, staging or not staging. Error text is also somewhat inaccurate, I can’t even figure out if the domain appears non-existing for LE (Type: unknownHost), or DNS reply seems empty, or it’s not empty but addresses seem invalid or inapplicable, or DNS did not answer - all in all, I’m completely lost here. Any ideas?

Unbound DNS checker doesn’t see any problems as well: https://unboundtest.com/m/A/grafoman.site/RUPEIZQB

#2

100.90.42.52 isn’t a publicly routable IP address. 100.64.0.0/10 is a private range for Carrier-Grade NAT, similar to 192.168.0.0/16 and so forth. To use HTTP validation – or for other people to access your website – you have to have a public IP.

1 Like
#3

I’m still sorting out a DNS issue, so I know that DNS should be invalid right now - that’s not the point. Like, even when it’s set to the right address (and both 8.8.8.8 and 1.1.1.1 see this address), LE fails to issue cert anyway with exactly, word to word, the same error.

(If you want proof, I’ll be able to temporarily make it work in ~5 hours or so.)

#4

What is the right address?

That exact error message means DNS is working successfully but there were no acceptable IP addresses, or no IP addresses at all. If there was an acceptable IP, it would work, or if it failed for some other reason, the error message would be different.

1 Like
#5

If that means using an IP outside the 100.64/10 network, then you stand a chance.

Otherwise, it doesn’t matter which DNS system return such an IP, they are (as @mnordhoff said) similar to 192.168/16 , 10/8, 127/8, 169.254/16, 0/8, 224/3, etc.
You can’t authenticate via an IP from such networks.

#6

Well… it turns out that 100.90.42.52 was the correct public IP address. No idea how did I end up with IP from an RFC network, but it worked for quite a while - it’s still reachable via any of my ISPs (I’m in Russia). It seems to be unreachable from CloudFlare, however - and it makes sense as well (why would they route an RFC network). That also explains other strange routing issues I’ve seen before. So-o, while LE possibly could have reached this IP if it tried to, I can’t blame them for calling it invalid, either.

Thanks, Matt, looks like you saved me a lot of time with your hint.

#7

100.90.42.52 is not unique.
It is only unique within your ISP.
Anyone outside your ISP won’t know how to get there.

#8

Well, it was reachable via at least two other ISPs as well. Sounds like black magic.

#9

Indeed.
Group hypnosis!

closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.