No valid IP addresses found for domain

lmkecloud · October 20, 2021, 9:35am

My domain is: lmkecloud.net

I ran this command: certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email admin@[redacted] -d lmkecloud.net

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for lmkecloud.net
Performing the following challenges:
http-01 challenge for lmkecloud.net
Waiting for verification...
Challenge failed for domain lmkecloud.net
http-01 challenge for lmkecloud.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: lmkecloud.net
   Type:   dns
   Detail: No valid IP addresses found for lmkecloud.net

My web server is apache2

The operating system my web server runs on is Debian 11

My hosting provider is Google

I can login to a root shell on my machine: yes

The version of my client is certbot 1.12.0

Osiris · October 20, 2021, 9:56am

Your hostname has an A resource record with contents 192.168.20.5 which is a private IP address and Let's Encrypt won't be able to connect to that IP address for validation of your hostname.

Nobody can visit your site using that IP address by the way.

Solutions:

Change the A record to the actual public IP address of your website;
Use the dns-01 challenge. Certbot has a certbot-dns-google plugin as I see your domain is hosted by Google.

pc-specialist · October 20, 2021, 10:00am

Your IP-adress is 192.168.20.5 this adress cannot connect from outside. Use your ISP Adress

Best regards

lmkecloud · October 20, 2021, 9:53pm

Thank you pointing that out. I've changed it to point to my public address, however it does not ping.

Anything wrong with my public ip address?

rg305 · October 21, 2021, 1:22am

Hi @lmkecloud and welcome to the LE community forum

PING is not required for any type of certificate.
So focus on the need.
Where do you plan on using that certificate?
If on a web server, then you might want to use it to validate the challenge requests (via HTTP).
If so, then HTTP requests (not PING) need to reach your web server.

And to answer your question:

Yes, it doesn't lead to a web server:

curl -Ii 203.211.105.53
curl: (56) Recv failure: Connection reset by peer

[required to validate the certbot --apache request]

And as an added tip: You might want to include the "www" in the cert.
-d lmkecloud.net -d www.lmkecloud.net

lmkecloud · October 21, 2021, 9:18am

Hi @rg305 , Thank you for all the info

Sorry but I'm not very familiar with web server configuration. I mainly followed the guide below to install Nextcloud.

How can I make my public IP address lead to my web server? Is that any apache configuration?

If I try to run certbot again now the error is different.

sudo certbot certonly --agree-tos --webroot -w /var/lib/letsencrypt/ -d lmkecloud.net -d www.lmkecloud.net

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for lmkecloud.net and www.lmkecloud.net

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: lmkecloud.net
  Type:   connection
  Detail: Fetching http://lmkecloud.net/.well-known/acme-challenge/MI_CZNNJcPr18GKxtxk1XEeBrG7Up9zLQMH3y0Kg3D0: Timeout during connect (likely firewall problem)

  Domain: www.lmkecloud.net
  Type:   connection
  Detail: Fetching http://www.lmkecloud.net/.well-known/acme-challenge/WPokU5r9a2P_5eWGNSQeo4gGdvC-EfdZGXMZXR-bfDE: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

This is my firewall status:

Status: active

To                         Action      From
--                         ------      ----
WWW                        ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
WWW (v6)                   ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)

MikeMcQ · October 21, 2021, 2:31pm

@lmkecloud As Rudy pointed out, your server is not reachable. Your most recent error messages saying "timeout" confirm that. You can also try using Let's Debug (click re-run test after making changes).

Would you post the results of these commands:

curl -4 ifconfig.co
sudo netstat -pant | grep -Ei 'apache|httpd|:80|:443'
sudo apachectl -t -D DUMP_VHOSTS

Update: And, you will need to update your firewall to allow port 443 for https (if WWW does not do that). That is not causing your current problems but will need to be open.

lmkecloud · October 22, 2021, 5:09am

Sure, here are the results:

curl -4 ifconfig.co

203.211.105.53

sudo netstat -pant | grep -Ei 'apache|httpd|:80|:443'

tcp6       0      0 :::80                   :::*                    LISTEN      755/apache2         
tcp6       0      0 :::443                  :::*                    LISTEN      755/apache2

sudo apachectl -t -D DUMP_VHOSTS

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost lmkecloud.net (/etc/apache2/sites-enabled/collabora.conf:1)
*:443                  127.0.0.1 (/etc/apache2/sites-enabled/default-ssl.conf:2)

rg305 · October 22, 2021, 5:21am

The IP is correct
The ports are being serviced

Are the firewall(s) allowing port 80 to pass?

JimPas · October 22, 2021, 7:46am

Hi @lmkecloud,

You may also want to check that your router isn't blocking port 80 traffic. You domain is still not accessible publicly.

lmkecloud · October 23, 2021, 12:48am

Yes. Check my firewall status below:

sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
WWW                        ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
203.211.105.53             ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
WWW (v6)                   ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)

lmkecloud · October 23, 2021, 12:50am

When I try to allow port 80 on my router it says that port 80 is reserved as per screenshot below.

MikeMcQ · October 23, 2021, 1:44am

@lmkecloud Ah, perhaps a clue. I found an article for a NetComm NF18MESH that says:

"For example, you cannot host a web server accessible through port 80 of your public IP and enable remote http administration of the NF18MESH through port 80, you must provide both with unique port numbers."

I guess your model is similar. Do you have remove http admin enabled? If so, try disabling it or use a port other than 80 for it. Can you check your manual to see if it is the same as the MESH model in this regard?

From:
https://manuals.plus/netcomm/casa-systems-nf18mesh-port-forwarding-setup-manual

lmkecloud · October 23, 2021, 8:37pm

Unfortunately there is option to remove http. I'll contact the router manufacturer.
Thank you so much for all the help you guys have provided on this issue. Much appreciate it.

rg305 · October 23, 2021, 8:47pm

Try moving it (not removing it).
Can the port be changed to any other?

MikeMcQ · October 23, 2021, 9:31pm

@lmkecloud I searched a manual for your model NF18ACV and saw in the Security section there is an Incoming IP Filtering config. On that page it says when firewall is enabled that all inbound IP traffic is blocked and you must setup IP filters to allow.

The instructions were not very clear but did you try that to setup inbound http? Or temporarily disable your firewall to see if you would get further along?

I do not know if this is the same model year of your router but I looked at the one from here:
https://support.netcommwireless.com/products/NF18ACV

If that is not it I am out of ideas Best to talk with the vendor.

lmkecloud · October 23, 2021, 10:20pm

I have disabled the firewall:

lmkecloud · October 23, 2021, 10:21pm

Also added the public IP to the filter incoming as suggested.

However certbot is still timing out.

PS.: After I reset the router yesterday the IP addresses have changed.
New public IP address: 203.211.110.83

rg305 · October 23, 2021, 10:29pm

Try:

Definitely skip step #1

VirusTotal - URL - 9516e8d102a1151736d0042a4b5a838a779aa9ff765bd74b825329bc00d07531

lmkecloud · October 23, 2021, 11:35pm

It doesn't let me do it through port 80.