I have an authorization problem

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: whatismyweather.tech

I ran this command: certbot certonly --standalone

It produced this output: When I do the command it turns me an error: no valid A records found for whatismyweather.tech; no valid AAAA records found for whatismyweather.tech. I think it can be because I have a dynamic IP Address but I put it in the DNS Records but turns me the error.

It can be about my dynamic IP Adress?

The operating system my web server runs on is (include version): Windows

I can login to a root shell on my machine (yes or no, or I don't know): Yes

Hi @PabloRNC, and welcome to the LE community forum :slight_smile:

The IP error is due to your use of a non-routable IP address.
RFC 1918 explains which networks can be routed over the Internet.
LE must validate your control over your domain at an IP address that can be reached via the Internet.

Name:      whatismyweather.tech
Addresses: ::ffff:192.168.1.42
           192.168.1.42

[both are unrouteable]

6 Likes

And I can do anything to change the dynamic ip addresses that I recive to a routable ip address or IS not on my hand change this?

You need to understand how your router works.
You need to update DNS to show the external IP of the router.
You need to make sure the router sends [via NAT/PAT] inbound port 80 & 443 connections to your web server.

In short:
You need to have a working web site before trying to secure it.
Does http://whatismyweather.tech/ work from the Internet? [NO]

6 Likes

Yes, now is not working because I was testing but normally yes

I find that hard to believe, using this online tool https://check-host.net/
This shows the DNS from around the world Multi-country domain resolving with DNS service: Check host - online website monitoring shows 192.168.1.42.
This shows the HTTP Port 80 connectivity to the domain name from around the world Check website performance and response: Check host - online website monitoring shows Connection timed out.

As @rg305 stated that IPv4 Address is

IPv4 Private Address Space and Filtering - American Registry for Internet Numbers.

Now from your own private LAN you would likely be able to access the domain name, however Let's Encrypt needs to access the domain name from a Publicly Accessible Internet Address for HTTP-01 and TLS-ALPN-01 Challenge Types - Let's Encrypt; there is the DNS-01 Challenge which would not have such requirement.

Best Practice - Keep Port 80 Open

And to assist with debugging there is a great place to start is Let's Debug.
And results for the domain name https://letsdebug.net/whatismyweather.tech/1301284 have a ReservedAddress Fatal result.

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

1 Like

Here are a couple of URLs that will show you your Publicly visible IP Address.

  1. https://ifconfig.co/
  2. https://ifconfig.io/

You can use them in a web browser or from a command line with curl

curl https://ifconfig.co/
curl https://ifconfig.io/

And the domain name needs it A (for IPv4) and/or AAAA (for IPv6) record set to the External Publicly Accessible IP Address.

Most home routers use NAT Network address translation - Wikipedia
so one needs to port map or forward to their internal LAN's IP Address.

2 Likes

It needs to be accessible form the Internet.
Not just from your network LAN or WiFi.

6 Likes

Ok so I will try later and reply if is another error or It fails.

2 Likes

Can you explain more how to do the thing with the NAT because I'am pointing my ip address but in the port 80 It redirect to the website router provider and if I change the port to another port and when I browse in the browser It turns me not found I searched for the error and I think is the NAT as you said.

No, your DNS is still pointing to your private IP address. You should point it to your public IP address. That number should be shown in your router config. Or, use one of the ways Bruce explained in post #7

6 Likes

I mean I run the webserver and I search the ip directly not the domain

That is not sufficient to get a cert from Let's Encrypt. Your DNS must point to your public IP address when using the HTTP Challenge

6 Likes

I know what I'm saying is that start the webserver and in the browser put http://IP:80 and turns me into the website of the internet router provider I know that to generate the SSL I need to point to the domain but I need to made free the port and I think is related to the NAT thing

What I see is you are trying to use --standalone mode but you also are describing a webserver. If you plan to have a webserver you should not be using standalone mode.

Also, accessing your webserver on your local network is not important for getting a cert. You should focus on being able to access your webserver from the public internet using http (port 80). Once you have that working we can help you get a cert. If your router is using port 80 for its own purposes you will need to change that. Refer to your router docs for that and how to setup NAT if that is necessary.

Use the Let's Debug test site (link here) to check your http webserver from the public internet. Or, use a cell phone with wifi turned off to use your provider's internet.

6 Likes

I'll try to do all those things thanks, I'll reply if another error occurs

1 Like

Good news another error throws to me but not the same this time is: Fetching http://whatismyweather.tech/.well-known/acme-challenge/1QjG0vBQmsyOf1gLFf3uy8MPhuPeuL-gMwaJhQwzFSw: Timeout during connect (likely firewall problem) how I can solve it?

Let’s Encrypt offers Domain Validation (DV) certificates.

1 Like

Your router or other device seems to be blocking all http requests (port 80). You should open that port in your router and forward it if/as needed to the server on your local network.

I cannot even reach your home page. This is not unique or related to Let's Encrypt. You don't yet have a working HTTP site.

Try using your phone with wifi off to reach your home page. When that is successful try Let's Debug test site

6 Likes

Agreed, I can't reach your IP:80

curl -Ii 88.1.110.156
curl: (56) Recv failure: Connection reset by peer
5 Likes