Invalid host in redirect target. Only domain names are supported, not IP addresses

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Hi,

I’m having trouble generating a cert for my webserver. It seems to unnecessarily do a redirect to the IP address, and thus not allowing it. Can anybody point me in the right direction with this?

My domain is: artistore.ch

I ran this command: certbot certonly --non-interactive --webroot --agree-tos --email redacted@example.com --cert-name artistore.ch -w /usr/

It produced this output:

Failed authorization procedure. www.artistore.ch (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://160.85.252.142: Invalid host in redirect target “160.85.252.142”. Only domain names are supported, not IP addresses, artistore.ch (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://160.85.252.142: Invalid host in redirect target “160.85.252.142”. Only domain names are supported, not IP addresses

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.artistore.ch
  Type: connection
  Detail: Fetching http://160.85.252.142: Invalid host in redirect
  target “160.85.252.142”. Only domain names are supported, not IP
  addresses

  Domain: artistore.ch
  Type: connection
  Detail: Fetching http://160.85.252.142: Invalid host in redirect
  target “160.85.252.142”. Only domain names are supported, not IP
  addresses

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version):
debian buster

I can login to a root shell on my machine: yes

The version of my client is: certbot 0.31.0

The reply of "your" webserver is:

HTTP/1.1 301 Moved Permanently
Server: Hostpoint Redirect Service
Location: http://160.85.252.142
Connection: close

So it seems to be some kind of """service""" (why?!? ) of your hosting provider?

Ah, it seems to only occur through IPv6. Through IPv4 (with the -4 switch for curl) it doesn't redirect.

Does your hosting provider provide some kind of IPv6 to IPv4 redirect feature or something?

If you can't disable this "feature", you might as well delete the entire AAAA record, as this isn't actually adding something for IPv6. That way Let's Encrypt (and others) won't even try to connect to the IPv6 address, so no redirect and not the mentioned error.

Thank you
That was it. Interestingly, curl used ipv4 by default on my machine and I couldn’t get it to connect using ipv6 at all. However, I’m not digging into that today.
Should have deleted the AAAA record when we registered.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.