I don't understand this error

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:panel.prolazer.net

I ran this command:

Nginx

certbot certonly --nginx -d example.com

It produced this output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: panel.prolazer.net
Type: dns
Detail: DNS problem: looking up A for panel.prolazer.net: DNSSEC: RRSIGs Missing; no valid AAAA records found for panel.prolazer.net

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Hello @lazer00, welcome to the Let's Encrypt community. :slightly_smiling_face:

Using the online tool Let's Debug yields these results https://letsdebug.net/panel.prolazer.net/1824785

ReservedAddress
FATAL
A private, inaccessible, IANA/IETF-reserved IP address was found for panel.prolazer.net. Let's Encrypt will always fail HTTP validation for any domain that is pointing to an address that is not routable on the internet. You should either remove this address and replace it with a public one or use the DNS validation method instead.
192.168.0.103

You need to use a Public facing Internet IP Address.

To help in finding your Public facing Internet IP Address

curl -4 ifconfig.me
curl -6 ifconfig.me

and/or

curl -4 ifconfig.co
curl -6 ifconfig.co

and/or

curl -4 ifconfig.io
curl -6 ifconfig.io
3 Likes
3

The IPv4 Address you are using 192.168.0.103
is part of the IPv4 Private Address Space and Filtering - American Registry for Internet Numbers
Also see Reserved IP addresses - Wikipedia
And also this IANA IPv4 Special-Purpose Address Registry

3 Likes
4

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: panel.prolazer.net
Type: connection
Detail: publicip: Fetching http://panel.prolazer.net/.well-known/acme-challenge/hR7iP3B_f1l_Zu6JoBjx5TzVNuXFyfK3nywxh038KUY: Timeout during connect (likely firewall problem)

5

Presently https://letsdebug.net/panel.prolazer.net/1824954

NoRecords
FATAL
No valid A or AAAA records could be ultimately resolved for panel.prolazer.net. This means that Let's Encrypt would not be able to connect to your domain to perform HTTP validation, since it would not know where to connect to.
No A or AAAA records found.

You need to update the DNS to have an A or AAAA records.

3 Likes
6

Now it looks like there is a router and/or firewall filtering (i.e. blocking) Ports 80 & 443.

$ nmap -Pn -p80,443 panel.prolazer.net
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-04 22:36 UTC
Nmap scan report for panel.prolazer.net (172.117.186.167)
Host is up.
rDNS record for 172.117.186.167: 172-117-186-167.res.spectrum.com

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.30 seconds
2 Likes
7

Hi @lazer00
And now https://letsdebug.net/panel.prolazer.net/1824966

ANotWorking
ERROR
panel.prolazer.net has an A (IPv4) record (172.117.186.167) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with panel.prolazer.net/172.117.186.167: Get "http://panel.prolazer.net/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://panel.prolazer.net/.well-known/acme-challenge/letsdebug-test (using initial IP 172.117.186.167)
@0ms: Dialing 172.117.186.167
@10001ms: Experienced error: context deadline exceeded

IssueFromLetsEncrypt
ERROR
A test authorization for panel.prolazer.net to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
172.117.186.167: Fetching http://panel.prolazer.net/.well-known/acme-challenge/IwF8aot2M-sjHJJS6Emw4at5_bEYZhj4KTyx_RkXER4: Timeout during connect (likely firewall problem)
1 Like
8

rDNS record for 172.117.186.167: 172-117-186-167.res.spectrum.com

@lazer00 You should contact Spectrum and make sure port 80 is not blocked by them. Some residential ISP block that port (and sometimes others).

Otherwise, as @Bruce5051 has pointed out many times you have some connectivity problem from the public internet to your server. Use the https://letsdebug.net test site to check changes you make.

You could also try using a mobile phone with wifi disabled so using your carrier's public internet connection to try to reach your domain. This or Let's Debug are good ways to test new setups.

If Spectrum is blocking port 80 but does not block port 443 you could try getting a cert using a DNS Challenge. But, these are more difficult to setup especially for novices. Getting a cert this way would avoid problems with port 80 and allow use of HTTPS on port 443 (or any other port Spectrum allows).

3 Likes
9

go it thank you

3 Likes
10

i found the solution basically i had to add port 80 on my router to allow it and then it let my create the
Successfully received certificate.

3 Likes
11

Now Port 443 is still filtered, however if you only need HTTPS for your local network that would be expected.

$ nmap -Pn -p80,443 panel.prolazer.net
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-05 00:07 UTC
Nmap scan report for panel.prolazer.net (172.117.186.167)
Host is up (0.43s latency).
rDNS record for 172.117.186.167: 172-117-186-167.res.spectrum.com

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 5.43 seconds
2 Likes
12

This is what I see:

rip:T430 ~ >>  nmap -Pn -p80,443 panel.prolazer.net
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-04 17:24 PST
Failed to resolve "panel.prolazer.net".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.43 seconds

rip:T430 ~ >>  nmap -Pn -p80,443 prolazer.net
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-04 17:24 PST
Nmap scan report for prolazer.net (172.117.186.167)
Host is up (0.27s latency).
rDNS record for 172.117.186.167: 172-117-186-167.res.spectrum.com

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 4.71 seconds

So the subdomain (panel.prolazer.net) has some DNS records issues ? !!!

2 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.