Invalid host in redirect target. Only domain names are supported, not IP addresses

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Hi,

I’m having trouble generating a cert for my webserver. It seems to unnecessarily do a redirect to the IP address, and thus not allowing it. Can anybody point me in the right direction with this?

My domain is: artistore.ch

I ran this command: certbot certonly --non-interactive --webroot --agree-tos --email redacted@example.com --cert-name artistore.ch -w /usr/

It produced this output:

Failed authorization procedure. www.artistore.ch (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://160.85.252.142: Invalid host in redirect target “160.85.252.142”. Only domain names are supported, not IP addresses, artistore.ch (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://160.85.252.142: Invalid host in redirect target “160.85.252.142”. Only domain names are supported, not IP addresses

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.artistore.ch
    Type: connection
    Detail: Fetching http://160.85.252.142: Invalid host in redirect
    target “160.85.252.142”. Only domain names are supported, not IP
    addresses

    Domain: artistore.ch
    Type: connection
    Detail: Fetching http://160.85.252.142: Invalid host in redirect
    target “160.85.252.142”. Only domain names are supported, not IP
    addresses

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version):
debian buster

I can login to a root shell on my machine: yes

The version of my client is: certbot 0.31.0

The reply of “your” webserver is:

HTTP/1.1 301 Moved Permanently
Server: Hostpoint Redirect Service
Location: http://160.85.252.142
Connection: close

So it seems to be some kind of “”“service”"" (why?!? :sob:) of your hosting provider?

Ah, it seems to only occur through IPv6. Through IPv4 (with the -4 switch for curl) it doesn’t redirect.

Does your hosting provider provide some kind of IPv6 to IPv4 redirect feature or something?

If you can’t disable this “feature”, you might as well delete the entire AAAA record, as this isn’t actually adding something for IPv6. That way Let’s Encrypt (and others) won’t even try to connect to the IPv6 address, so no redirect and not the mentioned error.

3 Likes

Thank you
That was it. Interestingly, curl used ipv4 by default on my machine and I couldn’t get it to connect using ipv6 at all. However, I’m not digging into that today.
Should have deleted the AAAA record when we registered.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.