No valid IP addresses found for

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot --apache

It produced this output:
root@RPI-Aquarium:~# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for


  • The following errors were reported by the server:

    Type: None
    Detail: No valid IP addresses found for

My web server is (include version):
Apache 2.4.25 (Raspbian)

The operating system my web server runs on is (include version):
root@RPI-Aquarium:~# cat /etc/os-release
PRETTY_NAME=“Raspbian GNU/Linux 9 (stretch)”
NAME=“Raspbian GNU/Linux”
VERSION=“9 (stretch)”

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

my website can be reached via

How can I solve the problem so that I can update the certificate via certbot?


1 Like

Welcome to the Let’s Encrypt Community, Dennis :slightly_smiling_face:

Let’s see what we can do for you… :thinking:

thank you…
i hope you can help me… :slightly_smiling_face:

1 Like

Based on, it appears that there is a longstanding Let’s Encrypt certificate for

The first thing I notice, which is worth noting but not likely the cause of the problem, is that your certbot version is ancient (0.28.0 vs 1.8.0).

You’re very welcome. :slightly_smiling_face:

Did you recently change your hosting configuration?

I’m checking out a couple of things related to your website. Back in a minute.

Alright, so I did some investigating.

It looks like ports 80 and 443 both appear to be closed for (

Is apache running?

edit: It looks like your ip address isn’t reachable globally. You might consider the suggestion in the next paragraph as both a solution and an expansion.

I also noticed that you got a wildcard certificate from DigiCert for die-glueckliche-familie.infoand * You can get a wildcard certificate from Let’s Encrypt, but this would require using dns-01 challenges (instead of the http-01 challenges you are accustomed to using). You would need to add txt records to your publicly-accessible dns zone. You might want to consider simply expanding your current Let’s Encrypt certificate to include and, which would allow you to continue using http-01 challenges and your current renewal approach.

The IP addresses from the range are not publically accessible IP addresses. They are reserved for carrier grade NAT. Therefore, they can’t be used to connect to by the general public, nor by Let’s Encrypt.

1 Like


Is that Internet routable?

1 Like



I’m blind. Or squint. Looked at the :dizzy_face:

1 Like

He must have changed that recently. There’s a super long renewal history on Good catch. :slightly_smiling_face:

You’re correct.

Ah, you’re one of those :wink:


Here for the hard of hearing seeing:

Your eyes crossed them in together

1 Like

Yes yes, I saw it already :stuck_out_tongue:

In any case, @skiworker s site isn’t reachable by the world wide web, so one could ask what he/she wants with a certificate in the first place.

If he/she still wants a certificate, he/she’d need to use the dns-01 challenge.

Unfortunately, no. The IP falls in the range.

1 Like

So probably a connectivity/environmental change then?

Change of internet service provider could be the reason. Or his/hers internet service provider chose to remove global routable IPv4 addresses from their customers and move to carrier grade NAT. Perhaps to sell the now unassigned globally routable addresses for $$$? Who knows :slight_smile:

Or the customer thought it would be a good idea to downgrade their internet plan to a more cheaper option? Not knowing exactly what that “CG-NAT” abbreviation exactly meant. I have no idea if internet service providers offer that choice… But in theory, it could be the case.

1 Like

You need to consider the limited use a cert would provide you via your current IP (
It would (at most) only be visible to other clients of your ISP - not form anyone else (not from the general Internet).

But to answer your question, only a DNS validation can accomplish getting a cert via certbot.
[not sure if 0.28.0 has the required support for DNS auth / DNS API - so you may need to upgrade to 1.8.0]

1 Like

He honestly might want to move to a dns validation anyway since he got a wildcard certificate issued from DigiCert instead of his original only. I already recommended expanding to and

Yeah that most likely the case - new provider offering more speed (but with hidden limitations).


And what would he do with it?

1 Like

He’s probably already got the DigiCert wildcard cert installed. We just can’t see it. :sunglasses: