No valid A records found for

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: buschbecks.homedns.org

I ran this command: /usr/bin/certbot renew -v

It produced this output:
[root@newlapserv renewal]# /usr/bin/certbot renew -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/buschbecks.homedns.org.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate for buschbecks.homedns.org
Performing the following challenges:
http-01 challenge for buschbecks.homedns.org
Waiting for verification...
Challenge failed for domain buschbecks.homedns.org
http-01 challenge for buschbecks.homedns.org

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: buschbecks.homedns.org
Type: dns
Detail: no valid A records found for buschbecks.homedns.org; no valid AAAA records found for buschbecks.homedns.org

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate buschbecks.homedns.org with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/buschbecks.homedns.org/fullchain.pem (failure)

Running post-hook command: /usr/bin/systemctl restart httpd
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): apache Fedora 34 Standard

The operating system my web server runs on is (include version):
Fedora linux 5.16.5-100.fc34.x86_64

My hosting provider, if applicable, is: Primerocom / VSE Net

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

Is this an config problem or a problem with dynDNS.org? Thx!

It's a DNS issue.

What kind of DNS resource record have you set up? Because I'm not seeing any error, but also no answer. See for example:

https://unboundtest.com/m/A/buschbecks.homedns.org/6NSZSJDM

Notice the "NOERROR" in the response, but also the "ANSWER: 0" part..

Hi Osiris,
Thank you for your help!
Unfortunately, I don't even know how to set up a DNS record.
I just installed letsencrypt a long time ago and it has worked great so far. Now I have to clarify whether the fault lies with me. Maybe an update changed something? Or whether DynDNS.org generates an incorrect entry and I have to look for a new provider.
Is the problem with my installation or with DynDSN.org?
Many thanks
Frank

Well, that was my first thought, looking at the results of unboundtest.com above.

But if I look at buschbecks.homedns.org | DNSViz it seems everything is working fine.

And if I do a dig +trace buschbecks.homedns.org myself, I also see a perfectly fine A resource record with an IP address returned.

Let's Encrypt uses Unbound as their DNS library and unboundtest.com uses an (almost?) identical configuration as the Let's Encrypt validation server. However, I don't know how to debug the difference between the NOERROR without an answer result from unboundtest.com and the normal results I'm finding myself and on DNSViz.. Strange!

The issue at hand is that buschbecks.homedns.org currently resolves to

;; ANSWER SECTION:
buschbecks.homedns.org. 60      IN      A       100.65.219.249

an IP address within the IPv4 shared access space block 100.64.0.0/10 (RFC 6598). These IP addresses are generally not internet-routable. Let's Encrypt automatically filters such IP addresses from DNS lookups. Because there are no other addresses available, it results in this error.

The IP address in question is commonly used CG-NAT space. @fbu: Has your ISP made recent changes to your internet connection, or have you made changes to how you connect to the internet?

Aw crap, missed that! Now I remember that Unbound as configured by Let's Encrypt (and probably also Unboundtest) filters out those private IP blocks from the result... I was too focussed on "Hm, why doesn't it result anything" and didn't remember the filtering..

Our provider charges additional fees for new contracts, so that one has a public IP address. Maybe he is annoyed about our old contract and tries to collect this outrageous additional fee from old customers. I didn't expect that, but that seems to be the reason.
Unfortunately, we have a fiber-optic connection here. Unfortunately, because there is only one provider and it shamelessly exploits its monopoly.
Then there is probably no solution to my problem.

If you require your site to be accessible through IPv4 from the world wide web, having a certificate or not wouldn't matter anyway, as your site wouldn't be reachable to begin with.

Or go IPv6 only, if that's a possibility. You'd miss a lot of potential IPv4 only visitors obviously though.

It's possible to get a cert using the dns-01 challenge, which wouldn't require a working incoming connection, but usage of that would also depend on what your DNS provider offers.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.