No valid A records found; no valid AAAA records found

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: status.wlabs.ar
Type: dns
Detail: no valid A records found for status.wlabs.ar; no valid AAAA records found for status.wlabs.ar

My domain is: status.wlabs.ar

I ran this command: inside NGINX proxy Manager

It produced this output: (Docker Logs for NGINX container)
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: status.wlabs.ar
Type: dns
Detail: no valid A records found for status.wlabs.ar; no valid AAAA records found for status.wlabs.ar

My web server is (include version): embeded in NGINX

The operating system my web server runs on is (include version): embeded in NGINX

My hosting provider: no, locally hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.5.0

how can I fix this? Should I chance my dns provider? I've currently delegated my domain to DynV6.

Your hostname resolves to 100.125.177.159 which is not a publicly routable IP address, but a private, non-routable IP address from the "Shared Address Space" range.

The Let's Encrypt DNS library is configured to "ignore" all private address spaces, which results in this rather confusing error message.

In any case, you can't use non-routable IP addresses using the http-01 challenge. Also: nobody from the public internet can connect to your site.

If you still want a certificate, you could use the dns-01 challenge.

4 Likes

Oh, good old 100.64.0.0/10. That's for CGNAT.

@walteroa if you can, use IPv6.

2 Likes

Unfortunately that would exclude a lot of users on the public internet.

If CG-NAT is indeed an issue here (which is quite likely), OP might need to contact their internet provider so they can get a public IP address for their internet connection or, if that's not possible, change ISPs alltogether.

Thanks a lot for the answer... Extremely useful.
Getting a real public IP from ISP is a nightmare. I'm still fighting with them, no success until now...

Do you know how can change the challenge to dns-01 from NGinx Proxy Manager UI?

1 Like

Yes and no. You can have an IPv6-only origin server and cloudflare will happily serve it on both IPv6 and 4.

That can be expensive.

No, but the same issue that's keeping Let's Encrypt from reaching your server will keep everybody on the public internet from doing the same. The only people who'll be able to reach your website are inside your ISP network.

4 Likes

That would involve Cloudflare though, which you didn't mention earlier :wink: and not everybody would want that :slight_smile:

Nope, I don't have any experience with NPM and seeing all the threads with it on this Community which are VERY hard to debug and even HARDER to possibly fix, I don't want to either. Sorry to say, but from my perspective, when you're using NPM, "you're on your own" I'm afraid.

1 Like

There was a lot of hope OP had IPv6 support everywhere they need it.

Unlike myself, that on a single isp I get IPv6 at home... but not on mobile. :@

2 Likes

Hi,

If you are not going to have a public web server on your domain I'd suggest using DNS validation (setting an _acme-challenge TXT record to a specific value to answer the challenge from Let's Encrypt proving you control your domain).

I have no idea how this is setup in Nginx Proxy Manager, but the limitation is usually whether your DNS provider supports updates over an API. You are using Dynv6 and they perhaps support RFC2136 updates and Nginx Proxy Manager may have a provider for that.

Alternatively, using acme-dns is an option, whereby you point an _acme-challenge CNAME record in your DNS to an acme-dns server, and it answers the challenge for you. The acme-dns service does have an example hosted service you can try out. I think you should find nginx proxy manager has a built in acme-dns provider.

1 Like

You can also use cloudflared to create a tunnel to the Cloudflare proxy if public IPv6 is not available.

Cloudflare has an active community if you have questions on using their platform.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.