Intranet server: Urn:ietfacme:error:dns :: No valid IP addresses found

My domain is:emeeting.myatbu.com

I ran this command:sudo certbot certonly --standalone

It produced this output:
sudo] password for dict:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): emeeting.myatbu.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for emeeting.myatbu.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. emeeting.myatbu.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for emeeting.myatbu.com

IMPORTANT NOTES:

My web server is (include version): None

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: godaddy.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @chigirl

checking your domain you see - https://check-your-website.server-daten.de/?q=emeeting.myatbu.com

Host T IP-Address is auth. ∑ Queries ∑ Timeout
emeeting.myatbu.com A 172.18.40.64
No Hostname found yes 1 0
AAAA yes
www.emeeting.myatbu.com Name Error yes 1 0

Grade Y:

Y emeeting.myatbu.com

172.18.40.64
Warning: Private ip address found. No connection possible. There are two types of ip addresses: Worldwide unique, global addresses and private addresses. If you want that other users connect your domain, your domain must have minimal one A- (ipv4) or AAAA- (ipv6) entry with a global ip address. Check https://en.wikipedia.org/wiki/Private_network to understand the details: 172.16.0.0 to 172.31.255.255: Class B - 16 private net, every with 65.536 addresses

You need a public ip address, not a private.

thanks for your response. am working on an intranet server and I am new to using certbot.
What can I do to make it work with the intranet IP? Am trying to setup a chat server with matrix-synaspe which recommends letsencrypt.
Thanks in advance

If you want to use http validation, you need a public visible ip address, so Letsencrypt can check your server.

If this isn’t possible, you can’t use http validation -> use dns validation.

Read

pardon me, still have a question, is there a different command to make Let’s Encrypt check the DNS challenge, instead of the HTTP-01 challenge? Thanks in advance

Please check

But you have a GoDaddy name server. Perhaps check acme.sh, there is a GoDaddy support.

1 Like

After I created a TXT record I ran the command below

"sudo certbot -d emeeting.myatbu.com --manual --preferred-challenges dns certonly"
I get the output below

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for emeeting.myatbu.com


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: yes


Please deploy a DNS TXT record under the name
_acme-challenge.emeeting.myatbu.com with the following value:

Qia6jxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfyA

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. emeeting.myatbu.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.emeeting.myatbu.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: emeeting.myatbu.com
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.emeeting.myatbu.com

I added another TXT record to include _acme-challenge; Below is the outcome

sudo certbot -d emeeting.myatbu.com --manual --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for emeeting.myatbu.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.emeeting.myatbu.com with the following value:

RfloBvXXXXXXXXXXXXXXXXXGy2s

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. emeeting.myatbu.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "v=spf1 ip4:172.18.40.64" found at _acme-challenge.emeeting.myatbu.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: emeeting.myatbu.com
   Type:   unauthorized
   Detail: Incorrect TXT record "v=spf1 ip4:XXX.XX.XX.64" found at
   _acme-challenge.emeeting.myatbu.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I sincerely don't know what next to do. I will be grateful to understand what certbot requires

“What certbot requires” is exactly what it told you it requires: a TXT record for _acme-challenge.emeeting.myatbu.com with the contents of RfloBvXXXXXXXXXXXXXXXXXGy2s. Why didn’t you do that? Instead, you had a TXT record for the same domain with your SPF record, which is almost certainly incorrect for SPF, and it’s most definitely incorrect for Let’s Encrypt. You don’t need to delete the existing TXT record in order to create the one Let’s Encrypt wants (though you should, as it isn’t doing anything useful); just create another one with the correct value. Note that “the correct value” will be different the next time you run certbot.

2 Likes

Thaaannk you!!! I did not know it required the Token.

  • Congratulations! Your certificate and chain have been saved at:
    .
    .
    .

Thank you

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.