No valid IP address found

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cloudruler.io

I ran this command: sudo certbot --apache

It produced this output:
"
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloudruler.io
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cloudruler.io (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for cloudruler.io

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cloudruler.io
    Type: None
    Detail: No valid IP addresses found for cloudruler.io

"

My web server is (include version): Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version): Ubuntu 18.04.3

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.0

1 Like
2

Let’s Encrypt treats hostnames in certificate requests very precisely. To get a certificate for https://cloudruler.io/, you need to validate the exact name cloudruler.io.

Currently, www.cloudruler.io has an IP address:

www.cloudruler.io.                                3595  CNAME  cloudruler-iet-web-scu-dbx.azurewebsites.net.
cloudruler-iet-web-scu-dbx.azurewebsites.net.     25    CNAME  waws-prod-sn1-147.sip.azurewebsites.windows.net.
waws-prod-sn1-147.sip.azurewebsites.windows.net.  1795  CNAME  waws-prod-sn1-147.cloudapp.net.
waws-prod-sn1-147.cloudapp.net.                   55    A      13.85.31.243

But cloudruler.io has none at all.

Does your platform allow you to add an IP address for your web server, or some kind of appropriate alias record, for cloudruler.io?

1 Like
3

Something… strange is going on with your sites DNS:
I get completely different NS records, depending on who is asked.

Example #1:

cloudruler.io   nameserver = ns1-03.azure-dns.com
cloudruler.io   nameserver = ns2-03.azure-dns.net
cloudruler.io   nameserver = ns3-03.azure-dns.org
cloudruler.io   nameserver = ns4-03.azure-dns.info

Example #2:

cloudruler.io   nameserver = ns1.bdm.microsoftonline.com
cloudruler.io   nameserver = ns2.bdm.microsoftonline.com
cloudruler.io   nameserver = ns3.bdm.microsoftonline.com
cloudruler.io   nameserver = ns4.bdm.microsoftonline.com

All have SOA = 1
But they don’t return the same value for cloudruler.io

The first 4 return 13.85.31.243
The second 4 return “empty”

2 Likes
4

Ah! They also have inconsistent MX and TXT records.

2 Likes
5

…while we wait…
Which came first?

  • DNS server
  • DNS entry/record
1 Like
6

While it’s possible they’ve purposefully asked their registrar to configure the DNS servers for their domain to both Office365 (*.bdm.microsoftonline.com) and Azure DNS (*.azure-dns.*) and are manually keeping both zones in sync (and failing), it’s more likely this is a mistake. They need to pick which DNS provider will be authoritative for the apex domain and remove the other.

At the moment, it will be random chance which authoritative nameserver the validation servers use to query the domain. If they happen to pick an Azure DNS nameserver where the A record actually exists, things will work. If they pick one of the Office 365 ones where it doesn’t exist, things won’t work.

C:\>dig ns cloudruler.io. @a0.nic.io +noall +authority

; <<>> DiG 9.9.8-P3 <<>> ns cloudruler.io. @a0.nic.io +noall +authority
;; global options: +cmd
cloudruler.io.          86400   IN      NS      ns1.bdm.microsoftonline.com.
cloudruler.io.          86400   IN      NS      ns2.bdm.microsoftonline.com.
cloudruler.io.          86400   IN      NS      ns4.bdm.microsoftonline.com.
cloudruler.io.          86400   IN      NS      ns4-03.azure-dns.info.
cloudruler.io.          86400   IN      NS      ns1-03.azure-dns.com.
cloudruler.io.          86400   IN      NS      ns2-03.azure-dns.net.
cloudruler.io.          86400   IN      NS      ns3.bdm.microsoftonline.com.
cloudruler.io.          86400   IN      NS      ns3-03.azure-dns.org.

C:\>dig ns cloudruler.io @ns1-03.azure-dns.com +short
ns1-03.azure-dns.com.
ns2-03.azure-dns.net.
ns3-03.azure-dns.org.
ns4-03.azure-dns.info.

C:\>dig ns cloudruler.io @ns1.bdm.microsoftonline.com +short
ns1.bdm.microsoftonline.com.
ns2.bdm.microsoftonline.com.
ns3.bdm.microsoftonline.com.
ns4.bdm.microsoftonline.com.

C:\>dig a cloudruler.io @ns1-03.azure-dns.com +short
13.85.31.243

C:\>dig a cloudruler.io @ns1.bdm.microsoftonline.com +short
(no result)
3 Likes
7

The *.bdm.microsoftonline.com records were removed last night, and I tried the same command again this afternoon and got the error:

Failed authorization procedure. cloudruler.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloudruler.io/.well-known/acme-challenge/hhxiTAy9gaVIp2KIwbJ9S2xzpYlmJaUIxj1U5eltzFQ [13.85.31.243]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: cloudruler.io
   Type:   unauthorized
   Detail: Invalid response from
   http://cloudruler.io/.well-known/acme-challenge/hhxiTAy9gaVIp2KIwbJ9S2xzpYlmJaUIxj1U5eltzFQ
   [13.85.31.243]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

I just remade the DNS A records to make sure they were correct based off of https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain#map-an-a-record

1 Like
8

DNS is no longer a problem; it resolves to 13.85.31.243.

The problem is that it receives a 404 error:

when trying to access the challenge file.

Please place a test file at:
http://cloudruler.io/.well-known/acme-challenge/testfile
[to ensure we are working with the correct path]

1 Like
9

I’m not sure how to place a test file there, I do not see a .well-known/acme-challenge/ directory to place a file in. Is that something I set up with LetsEncrypt or Certbot?

1 Like
10

Certbot should create the folder (as needed).
You can simulate that by adding the folder (and subfolder) to your document_root path.

Most likely your apache configs are imperfect and certbot is confused on exactly where to place the challenge file.
You basically have two options to overcome this problem:

  • fix the apache configuration files
    this requires finding any overlapping/ambiguous/default server names (or aliases)
    [to help find them, you can use: apachectl -S]
  • send all challenge requests to a specific location
    this can be done with an alias statement in main config file (usually: /etc/apache2/apache2.conf)

Let us know which method you prefer to proceed.

1 Like
11

Exactly what Certbot command did you run this time? What was the complete output?

1 Like
12

I will go with option 2, " send all challenge requests to a specific location
this can be done with an alias statement in main config file (usually: /etc/apache2/apache2.conf ) ", rg305.

The command i ran was:

sudo certbot --apache

This is the full output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): cloudruler.io
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloudruler.io
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. cloudruler.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloudruler.io/.well-known/acme-challenge/DFufFcqja_UQuz9baAsAyEL3OTqgQoDltG2WSxZqSb0 [13.85.31.243]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: cloudruler.io
   Type:   unauthorized
   Detail: Invalid response from
   http://cloudruler.io/.well-known/acme-challenge/DFufFcqja_UQuz9baAsAyEL3OTqgQoDltG2WSxZqSb0
   [13.85.31.243]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like
13

Option 2 is a simple two step process:

Step 1: Create a folder to hold/serve all challenge files

  • 1a. Decide where the folder is to be located (I use /ACME-challenges/ and will show that in this example - feel free to change that to whatever you like)
  • 1b. create the folder:
    mkdir /ACME-Challenges/

Step 2: Use the folder.

  • 2a. Edit your main config (using your preferred editor - vi used in this example)
    vi /etc/apache2/apache2.conf
    Add the following line at the end/bottom:
    Alias /.well-known/acme-challenge/ /ACME-challenges/
  • 2b. Restart/Reload apache (via your preffered bethod - I use:)
    systemctl restart apache2
1 Like
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.