No valid IP addresses found for wygiz.app

Hi,

First of all thank you so much for the great work you are doing and congrats for reaching the billion certificate recently.
Secondly apologies if my issue is redundant with others. I have read them but I am quite a newbie with DNS things and couldn’t understand everything nor solve my problem on my own.

My domain is: wygiz.app

I ran this command:

sudo certbot certonly
–standalone
–non-interactive
–agree-tos
–email admin@wygiz.app
–cert-name wygiz.app
–domains www.wygiz.app

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for wygiz.app
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. wygiz.app (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for wygiz.app

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: wygiz.app
    Type: None
    Detail: No valid IP addresses found for wygiz.app

My web server is (include version):

I use traefik but the question is not applicable here since I am using the certonly --standalone subcommand here.
Side note: I know that traefik can automate the generation of certificates for me but I do not want to use this feature. I want to do this my self and automate this with a crontab.

The operating system my web server runs on is (include version):Ubuntu 18.04.3 LTS

My hosting provider, if applicable, is: www.ovh.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes, both the ovh panel for the server and the google domain one for the domain name.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Other details and questions:

The port 80 is free on my server so there should not be any problem to get the http-challenge working.

My domain name is managed through google domains.
The server which I am trying to generate certificates from is vps407881.ovh.net. It’s IP is 151.80.149.141.
I have first registered my domain through the google domains web admin interface as a CNAME record:
wygiz.app CNAME vps407881.ovh.net
But I got the error I am solicitating you for.

I then tried to use an A record but the result ended to be the same.
wygiz.app A 151.80.149.141

I tried this because I do not understand exactly everything about DNS and figured out these two record types were the most common. But there are so many that maybe I am using the wrong one.
As of now the record is still set as an A one. Tell me if I should change this.

I also tried to understand things by using the dig command line tool.
One thing that I do not understand is that if I try dig for anything.wygiz.app I get a response which seems valid to me but if I try for dig just for wygiz.app it seems that I can’t get the IP of the server.
Maybe the problem comes from here. I lack knowledge here, maybe we can’t dig for the raw domain name, only for sub domains ?

Results of dig below:

dig @8.8.8.8 test.wygiz.app

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> @8.8.8.8 test.wygiz.app
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24164
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;test.wygiz.app. IN A

;; ANSWER SECTION:
test.wygiz.app. 3599 IN A 151.80.149.141

;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Mar 21 15:32:25 CET 2020
;; MSG SIZE rcvd: 59

dig @8.8.8.8 wygiz.app

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> @8.8.8.8 wygiz.app
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10893
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;wygiz.app. IN A

;; AUTHORITY SECTION:
wygiz.app. 299 IN SOA ns-cloud-c1.googledomains.com. cloud-dns-hostmaster.google.com. 10 21600 3600 259200 300

;; Query time: 19 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Mar 21 15:32:57 CET 2020
;; MSG SIZE rcvd: 131

As you can see for test.wygiz.app I get a nice A record with the IP but for wygiz.app I only get an empty A record and a SOA record which I don’t know what it is.

Can you help me please to solve this ?

Do not hesitate to point me any documentation on the DNS/certificates subjects as I am a solid documentation reader. I would be glad for the insights.

Thank you very much for your response and once again for the great work you are doing to make the web secure.

Best regards.

Damien Montigny

1 Like

Hi @neimad1985

there is a check of your domain, created yesterday - https://check-your-website.server-daten.de/?q=wygiz.app

Host T IP-Address is auth. ∑ Queries ∑ Timeout
wygiz.app A yes 1 0
AAAA yes
www.wygiz.app A 151.80.149.141 Strasbourg/Grand Est/France (FR) - OVH SAS Hostname: 141.ip-151-80-149.eu yes 1 0
AAAA yes

Your non-www doesn’t have an ip address. Your www has.

So you can’t create a certificate with your non-www domain name.

That’s

No valid IP addresses found

expected, there is no ip address. So add one, then recheck your domain to see, if your wygiz.app has an ip address.

1 Like

Hi @JuergenAuer,

Thanks for your very quick reply.

I am the one who created this check.
I know that my domain has no IP, that’s what the check says, that’s what certbot says, and dig does the same.
The thing that I do not understand is why I do not have an IP for wygiz.app.
The only action that I took to get an IP address for www.wygiz.app is to create an A record for wygiz.app.
The resulting effect is that I get an IP for any subdomain that you could imagine but not for the domain itself, this is what I do not understand. I did not do anything to get an IP for www.wygiz.app specifically, I just did it for wygiz.app (by creating the A record) and this leads to get me an IP for www.wygiz.app but also for john.wygiz.app, doe.wygiz.app, anything.wygiz.app and so on.

Why is that ? Ip for every subdomain but not for the domain itself. Is this normal behaviour of DNS records. Sorry but I am a newbie with this and I do not succeed in finding proper documentation.

Maybe I should not ask this to you because you work on certificates not on domain name records but the two are closely related and you could have a hint for me.

Thank you.

1 Like

You have a wildcard record, that is why every literal under that wygiz.app resolves to it:

$ dig *.wygiz.app

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.3 <<>> *.wygiz.app
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34895
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;*.wygiz.app.			IN	A

;; ANSWER SECTION:
*.wygiz.app.		3600	IN	A	151.80.149.141

;; Query time: 252 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sat Mar 21 16:34:41 2020
;; MSG SIZE  rcvd: 45

You do not have address record for the domain wygiz.app itself.

1 Like

OK. I finally got it to work.

The thing is I associated * to wygiz.app for the IP 151.80.149.141 in the google domains panel. The effect is that is allows any subdomain to be associated with the IP but not for the root domain.
For the root domain to also have the IP you have to associate @ to wygiz.app. I did not know this syntax. So as a recap I needed two rules, * and @, and had only one, *.
It solves the problem now dig wygiz.app sends the IP back.

Thank you for you time.

3 Likes

@ means wygiz.app

You should have two records now:

@ IN A 151.80.149.141
* IN A 151.80.149.141

or:

@ IN A 151.80.149.141
* IN CNAME @
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.