No Valid IP Addresses Found But Google DNS Shows Correct IP Address

JonathonRichardson · April 27, 2017, 5:07pm

Please fill out the fields below so we can help you better.

My domain is: test-ehrvm.primate.wisc.edu

I ran this command: certbot certonly -w /space/application/local/well-known/ -d test-ehrvm.primate.wisc.edu

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for test-ehrvm.primate.wisc.edu
Using the webroot path /space/application/local/well-known for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. test-ehrvm.primate.wisc.edu (http-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for test-ehrvm.primate.wisc.edu

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: test-ehrvm.primate.wisc.edu
   Type:   unknownHost
   Detail: No valid IP addresses found for test-ehrvm.primate.wisc.edu

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My operating system is (include version): CentOS Linux release 7.1.1503 (Core)

My web server is (include version): NGINX 1.13.0

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I don’t understand why it claims the host is unreachable:

Google’s DNS servers give the correct IP address.
I am able to access a public test file being served by the host from my home network through public DNS and internet (as opposed to internal networks).
I was able to set this up for another host, ehrvm.primate.wisc.edu, with essentially the same configuration: the only difference is the hostname.
DNS Viz shows no problems that exist for test-ehrvm that don’t exist for ehrvm (which worked flawlessly).

I’m running Tomcat being NGINX, but NGINX redirects all requests for anything under /.well-known/ to a web root directory that certbot can write to, as demonstrated by the fact that the test file is being served and the fact that the process worked on ehrvm.primate.wisc.edu.

schoen · April 27, 2017, 5:11pm

Hi @JonathonRichardson,

The IP address shown there is 10.128.254.18, which is a private RFC 1918 address that is not supposed to be usable by the public Internet at all. This is very different from the address for ehrvm, which is 128.104.221.202.

The Let’s Encrypt CA won’t try to connect to private IP addresses, because this will never succeed. I don’t know why you were able to load the test file from home; maybe you misremembered and loaded the test file from ehrvm instead of test-ehrvm, or maybe you have a VPN that connects you to your private work network and lets you access internal resources there?

If you give the test-ehrvm machine a public IP address on the 128.104.221 network, your certificate issuance should be able to go forward.

system · May 27, 2017, 5:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.