No valid IP addresses found for cyberrabbit.com

protteveel · February 2, 2021, 10:51pm

My domain is:
cyberrabbit.com

I ran this command:
sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

	Which names would you like to activate HTTPS for?
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	1: cyberrabbit.com
	2: www.cyberrabbit.com
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	Select the appropriate numbers separated by commas and/or spaces, or leave input
	blank to select all options shown (Enter 'c' to cancel): 
	Obtaining a new certificate
	Performing the following challenges:
	http-01 challenge for cyberrabbit.com
	http-01 challenge for www.cyberrabbit.com
	Enabled Apache rewrite module
	Waiting for verification...
	Challenge failed for domain cyberrabbit.com
	Challenge failed for domain www.cyberrabbit.com
	http-01 challenge for cyberrabbit.com
	http-01 challenge for www.cyberrabbit.com
	Cleaning up challenges
	Some challenges have failed.

	IMPORTANT NOTES:
	 - The following errors were reported by the server:

	   Domain: cyberrabbit.com
	   Type:   dns
	   Detail: No valid IP addresses found for cyberrabbit.com

	   Domain: www.cyberrabbit.com
	   Type:   dns
	   Detail: No valid IP addresses found for www.cyberrabbit.com

My DNS records:
	Type	Name					Value									TTL
	A		cyberrabbit.com			100.113.1.183								1 Hour
	A		www.cyberrabbit.com		100.113.1.183								1 Hour
	CNAME	_domainconnect			_domainconnect.gd.domaincontrol.com			1 Hour
	NS		@						ns01.domaincontrol.com						1 Hour	
	NS		@						ns02.domaincontrol.com						1 Hour	
	SOA	@						Primary nameserver: ns01.domaincontrol.com.	1 Hour	
	CNAME	www					@										1 Hour
	A		@						100.113.1.183								1 Hour

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2020-08-12T19:46:17

The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is:
N/A
I am running the website on a Raspberry Pi, model 4.
Local IP address: 192.168.1.2
URL: http://192.168.1.2
The website is accessible through port forwarding on my router.
Internet IP address: 100.113.1.183
URL: http://100.113.1.183

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
ssh ubuntu@192.168.1.2

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
I us godaddy.com only to manage my DNS records

_az · February 2, 2021, 10:51pm

This is a CGNAT address: Carrier-grade NAT - Wikipedia.

It means that your ISP does not give you a real IPv4 address. Instead, they have you share a pool of IP addresses with your fellow ISP customers.

Unfortunately this means you cannot effectively host a web server, because nobody outside your local network can connect to it.

If you want a certificate anyway, you might be able to get one using DNS validation. Since you use GoDaddy, you could use this method.

sahsanu · February 2, 2021, 10:52pm

Hello @protteveel,

Based on your IP, I'm afraid you are using CGNAT so it is not possible to access your site from internet.

If you want a certificate you could use the dns challenge instead of http challenge.

Cheers,
sahsanu

protteveel · February 2, 2021, 11:12pm

Thanks for your reply, @sahsanu.
Can you explain how to use an http challenge instead, please?

sahsanu · February 2, 2021, 11:17pm

I suppose you mean dns challenge.@_az already posted a link with info to use a dns plugin with GoDaddy but you should use acme.sh client instead of certbot.

protteveel · February 2, 2021, 11:53pm

Thank you both @_az and @sahsanu this is very helpful! because now I have a cert!

I was following the instructions How To Secure Apache with Let's Encrypt on Ubuntu 20.04.

But since my setup will not work with CGNAT and I have the cert now, can you maybe point me to the instructions on how to install it on Apache 2 for Ubuntu 20 LTS, please?

rg305 · February 3, 2021, 6:05am

Within the same ISP... it maybe possible to remain unique and accessible.
However, LE is definitely outside that network and won't be able to validate it via HTTP from multiple global locations.

_az · February 3, 2021, 7:56am

Do you mean that you have now obtained a certificate with acme.sh and would like to configure Apache to use it?

You'll have to configure Apache manually to do that, by creating an HTTPS virtualhost.

A good place to start is these two resources:

Mozilla SSL Configuration Generator for how to configure Apache
The acme.sh --install-cert instructions for Apache for how to hook up acme.sh with Apache

I think approximately you'll want to do something like:

acme.sh --install-cert -d cyberrabbit.com \
--fullchain-file /etc/apache2/cyberrabbit.crt  \
--key-file       /etc/apache2/cyberrabbit.key  \
--reloadcmd     "service apache2 reload"

then update your Apache configuration like so:

# intermediate configuration
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

<VirtualHost *:443>
    ServerName cyberrabbit.com
    ServerAlias www.cyberrabbit.com

    # DocumentRoot /var/www/html/ (or wherever your site is)
 
    SSLEngine on
    SSLCertificateFile /etc/apache2/cyberrabbit.crt
    SSLCertificateKeyFile /etc/apache2/cyberrabbit.key
    Protocols h2 http/1.1

    # Then the rest of your website configuration goes here ...
</VirtualHost>

then reload Apache:

service apache2 reload

Untested instructions but they're the approximate outline of how to use your acme.sh-acquired certificate with Apache on Ubuntu.

protteveel · February 3, 2021, 4:47pm

Thanks, @_az; the website is now accessible through a secure connection: https://cyberrabit.com

Rip · February 3, 2021, 8:37pm

curl -Iki https://cyberrabit.com/
curl: (6) Could not resolve host: cyberrabit.com

Screenshot_2021-02-03_12-35-43

schoen · February 3, 2021, 8:39pm

Unfortunately, not for people outside of your own ISP, because of the CGNAT issue that was mentioned in the beginning of the thread.

protteveel · February 3, 2021, 9:00pm

Thanks for letting me know, @schoen; much appreciated.

I am waiting for my ISP to get me a static IP address.

system · March 5, 2021, 9:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.