Gdaddy dns forwarding now has round robin (2) ip addresses

Godaddy has two ip address A records for for each forwarded domain. How do I use certbot to generate cert and setup dns credentials? The multiple dns records are godaddy side. I only have a single ip address that gdaddy dns servers are redirecting to.

Hello @robogo, welcome to the Let's Encrypt community. :slightly_smiling_face:

Well all IP Address (IPv4 and IPv6) need to respond the same for HTTP-01 challenge, if you are talking about DNS-01 challenge all Authoritative Name Servers need to respond the same for acme-challenge.<YOUR_DOMAIN> challenge.

Moved from Feature Requests to Help.

If you opened this thread in the Help section, you should have been provided with a questionnaire. In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

1 Like

Currently, certificates are issued to a Domain, not an IP Address.

LetsEncrypt may try to validate HTTP-01 challenges against both IP Addresses for your domain, so you need to ensure one of the following:

  • both public ips are gateways to the same internal IP; or
  • if there are multiple internal ips, redirect or proxy requests from the one not-running-certbot to the one running certbot; or
  • there is only 1 ip address in dns.

You can also use DNS-01 challenges, but automatic renewals require leaving an API credential on your server - so it's best to delegate those DNS records to a secondary DNS system that only exists for ACME challenges. I like to use GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.

1 Like

It sounds like you have GoDaddy Domain Forwarding enabled. For HTTPS support you should disable that and update the DNS A record to point directly to your server's public IP.

This comes up often on this forum.

See: I got This error - #6 by Geno11x11

4 Likes

The Godaddy DNS A records say they can not be edited.

Can you change DNS Name Server provider?

Did you follow the steps in the post I linked?

Because I am pretty sure that after you disable Domain Forwarding you can edit it.

4 Likes

I concur with @MikeMcQ. You can't edit your A record because domain forwarding is enabled.

4 Likes

This looks like my only option is getting another provider. I was looking at going to cloudflare but they don't provide email and I don't know of they have or will also add round robin DNS.

Do see how I can your solution can work for my situation.

I have all my domains and subdomains are on one ip address.

I use forwarding for all my domains and subdomians using the same text url with different ports.

This is so if my dynamic ip gets changed (infrequent) by my isp, I only need to update a singly godaddy forwarding record.
ie. http://ccaway.net is forwarded to http://firstfruitsfarms.com:4000
http://turfrobots.us is forwadeded to http://firstfruitsfarms:5678
http://ai.ccaway.net ->> http://firstfruitsfarms.com:4000/media/wizards/beast.html

GoDaddy's domain forwarding service is fundamentally incompatible with the HTTP-01 challenge.

3 Likes

Let us back up then. Which domain are you trying to get a certificate for?

If firstfruitsfarms what port do you plan on it supporting HTTPS with?

Can firstfruitfarms support inbound HTTP requests on port 80? Because those requests fail today but could they work?

4 Likes

I want to start with ccaway.net then turfrobots.us. Firstfruitsfarms,com doesn't have an active website and is just being used for the single text url to forward all the other domains and sub domains.'

I think my isp may block port 80.

I can switch firstfruitsfarms.com with ccaway.net or turfrobots.us as I don't need firstfruitsfarms.com any longer.

The URL forwarding you have should work for ccaway.net (I assume the other too).

HTTP and HTTPS requests to ccaway work fine. The problem is it uses a frame redirect (html page) to send people to HTTP (not HTTPS) at firstfruitsfarms at port 4000. It is the firstfruitsfarms HTTP URL that is being warned about by browsers.

So, you would need to change the URL for port 4000 to use HTTPS and have firstfruitsfarms support that with a cert and related config.

You shouldn't have to do anything with ccaway. Although realize that "frame" forwarding" isn't the greatest. But, if you've been happy with that so far it should be fine.

But, what is handling requests you redirect there? You may not have a "website" on the standard ports (80 and 443) but there is some kind of server handling these requests.

curl -I http://firstfruitsfarms.com:4000
HTTP/1.1 200 OK
Last-Modified: Thu, 30 Jun 2022 19:48:01 GMT
Content-Length: 6235
Content-Type: text/html; charset=UTF-8
Accept-Ranges: bytes
Date: Wed, 08 Jan 2025 19:09:07 GMT
3 Likes

The expect response is 404 Not Found - HTTP | MDN
or 200 OK - HTTP | MDN is the file is actually present and accessible.

For curl -Ii response 405 Method Not Allowed - HTTP | MDN

$ curl -Ii http://ccaway.net/.well-known/acme-challenge/sometestfile
HTTP/1.1 405 Not Allowed
Server: awselb/2.0
Date: Wed, 08 Jan 2025 19:15:03 GMT
Content-Length: 0
Connection: keep-alive
WAFRule: 0

For curl -i response 403 Forbidden - HTTP | MDN

$ curl -i http://ccaway.net/.well-known/acme-challenge/sometestfile
HTTP/1.1 403 Forbidden
Server: awselb/2.0
Date: Wed, 08 Jan 2025 19:16:24 GMT
Content-Length: 0
Connection: keep-alive
WAFRule: 4
1 Like

I have several servers that handle the domains and subdomans requests on different ports. All http for now. My router routes the requests to different machines and server software by port number.
I have things like Ai chatbots, database servers, etc each with a unique port number not just http servers.

It is unusual but a 405 Method Not Found is reasonable for a HEAD request. Would be "wrong" for a GET request :slight_smile:

You often see that with CDNs which is roughly what the GoDaddy forwarding service is.

3 Likes

Thanks Mike! :slight_smile:

1 Like

This is what needs to support HTTPS

Did you say port 80 on that system is not possible? Because you won't be able to use an HTTP Challenge to get a cert on that system. A DNS Challenge is possible although works best with a DNS Provider that offers an API. GoDaddy has some restrictions on who can use that API.

Your ACME Client also needs to support whatever DNS provider you have as this Client will add and delete TXT records.

There is also a TLS-ALPN challenge which works on port 443 but requires support in the Client (as a standalone) or in your webserver. This is not commonly used.

It may be considerable work but you could consider something like caddy server at the public IP for firstfruitsfarms system. It will handle HTTPS and certs for you. It is designed as a reverse proxy so could direct to all your "internal" systems. And, I believe caddy supports TLS-ALPN which uses port 443 (if that helps).

3 Likes

Using the online tool Let's Debug yields these results https://letsdebug.net/ccaway.net/2330501

UnexpectedHttpResponse
Warning
Sending an ACME HTTP validation request to ccaway.net results in unexpected HTTP response 403 Forbidden. This indicates that the webserver is misconfigured or misbehaving.
403 Forbidden



Trace:
@0ms: Making a request to http://ccaway.net/.well-known/acme-challenge/letsdebug-test (using initial IP 3.33.251.168)
@0ms: Dialing 3.33.251.168
@63ms: Server response: HTTP 403 Forbidden
UnexpectedHttpResponse
Warning
Sending an ACME HTTP validation request to ccaway.net results in unexpected HTTP response 403 Forbidden. This indicates that the webserver is misconfigured or misbehaving.
403 Forbidden



Trace:
@0ms: Making a request to http://ccaway.net/.well-known/acme-challenge/letsdebug-test (using initial IP 15.197.225.128)
@0ms: Dialing 15.197.225.128
@64ms: Server response: HTTP 403 Forbidden
2 Likes