No valid IP addresses found for

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
die-glueckliche-familie.info

I ran this command:
sudo certbot --apache

It produced this output:
root@RPI-Aquarium:~# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: www.die-glueckliche-familie.info

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ā€˜cā€™ to cancel): 1
Cert is due for renewal, auto-renewingā€¦
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.die-glueckliche-familie.info
Waiting for verificationā€¦
Cleaning up challenges
Failed authorization procedure. www.die-glueckliche-familie.info (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for www.die-glueckliche-familie.info

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.die-glueckliche-familie.info
    Type: None
    Detail: No valid IP addresses found for
    www.die-glueckliche-familie.info
    root@RPI-Aquarium:~#

My web server is (include version):
Apache 2.4.25 (Raspbian)

The operating system my web server runs on is (include version):
root@RPI-Aquarium:~# cat /etc/os-release
PRETTY_NAME=ā€œRaspbian GNU/Linux 9 (stretch)ā€
NAME=ā€œRaspbian GNU/Linuxā€
VERSION_ID=ā€œ9ā€
VERSION=ā€œ9 (stretch)ā€
ID=raspbian
ID_LIKE=debian
HOME_URL=ā€œhttp://www.raspbian.org/ā€
SUPPORT_URL=ā€œhttp://www.raspbian.org/RaspbianForumsā€
BUG_REPORT_URL=ā€œhttp://www.raspbian.org/RaspbianBugsā€

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I donā€™t know):
yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if youā€™re using Certbot):
certbot 0.28.0

my website can be reached via www.die-glueckliche-familie.info

How can I solve the problem so that I can update the certificate via certbot?

greetings
Dennis

1 Like
2

Welcome to the Letā€™s Encrypt Community, Dennis :slightly_smiling_face:

Letā€™s see what we can do for youā€¦ :thinking:

3

thank youā€¦
i hope you can help meā€¦ :slightly_smiling_face:

1 Like
4

Based on https://crt.sh/?q=die-glueckliche-familie.info, it appears that there is a longstanding Letā€™s Encrypt certificate for www.die-glueckliche-familie.info.

The first thing I notice, which is worth noting but not likely the cause of the problem, is that your certbot version is ancient (0.28.0 vs 1.8.0).

5

Youā€™re very welcome. :slightly_smiling_face:

Did you recently change your hosting configuration?

Iā€™m checking out a couple of things related to your website. Back in a minute.

6

Alright, so I did some investigating.

It looks like ports 80 and 443 both appear to be closed for www.die-glueckliche-familie.info (100.123.19.126).

Is apache running?

edit: It looks like your ip address isnā€™t reachable globally. You might consider the suggestion in the next paragraph as both a solution and an expansion.

I also noticed that you got a wildcard certificate from DigiCert for die-glueckliche-familie.infoand *.die-glueckliche-familie.info. You can get a wildcard certificate from Letā€™s Encrypt, but this would require using dns-01 challenges (instead of the http-01 challenges you are accustomed to using). You would need to add txt records to your publicly-accessible dns zone. You might want to consider simply expanding your current Letā€™s Encrypt certificate to include die-glueckliche-familie.info and www.die-glueckliche-familie.info, which would allow you to continue using http-01 challenges and your current renewal approach.

7

The IP addresses from the 100.64.0.0/10 range are not publically accessible IP addresses. They are reserved for carrier grade NAT. Therefore, they canā€™t be used to connect to by the general public, nor by Letā€™s Encrypt.

1 Like
8

Name: die-glueckliche-familie.info
Address: 100.123.19.126

Is that Internet routable?

1 Like
10

No: IANA IPv4 Special-Purpose Address Registry

Yes.

I'm blind. Or squint. Looked at the 10.0.0.0/8 :dizzy_face:

1 Like
11

He must have changed that recently. Thereā€™s a super long renewal history on crt.sh. Good catch. :slightly_smiling_face:

13

You're correct.

Ah, you're one of those :wink:

2 Likes
14

Here for the hard of hearing seeing:

image
image1271Ɨ262 27.6 KB

Your eyes crossed them in together 100.0.0.0/8

1 Like
16

Yes yes, I saw it already :stuck_out_tongue:

In any case, @skiworker s site isn't reachable by the world wide web, so one could ask what he/she wants with a certificate in the first place.

If he/she still wants a certificate, he/she'd need to use the dns-01 challenge.

Unfortunately, no. The IP 100.123.19.126 falls in the 100.64.0.0/10 range.

1 Like
17

So probably a connectivity/environmental change then?

18

Change of internet service provider could be the reason. Or his/hers internet service provider chose to remove global routable IPv4 addresses from their customers and move to carrier grade NAT. Perhaps to sell the now unassigned globally routable addresses for $$$? Who knows :slight_smile:

Or the customer thought it would be a good idea to downgrade their internet plan to a more cheaper option? Not knowing exactly what that ā€œCG-NATā€ abbreviation exactly meant. I have no idea if internet service providers offer that choiceā€¦ But in theory, it could be the case.

1 Like
19

You need to consider the limited use a cert would provide you via your current IP (100.123.19.126).
It would (at most) only be visible to other clients of your ISP - not form anyone else (not from the general Internet).

But to answer your question, only a DNS validation can accomplish getting a cert via certbot.
[not sure if 0.28.0 has the required support for DNS auth / DNS API - so you may need to upgrade to 1.8.0]

1 Like
20

He honestly might want to move to a dns validation anyway since he got a wildcard certificate issued from DigiCert instead of his original www.die-glueckliche-familie.info only. I already recommended expanding to die-glueckliche-familie.info and www.die-glueckliche-familie.info.

21

Yeah that most likely the case - new provider offering more speed (but with hidden limitations).

2 Likes
22

And what would he do with it?

1 Like
23

Heā€™s probably already got the DigiCert wildcard cert installed. We just canā€™t see it. :sunglasses: