No valid IP addresses found for

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
die-glueckliche-familie.info

I ran this command:
sudo certbot --apache

It produced this output:
root@RPI-Aquarium:~# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: www.die-glueckliche-familie.info


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.die-glueckliche-familie.info
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.die-glueckliche-familie.info (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for www.die-glueckliche-familie.info

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.die-glueckliche-familie.info
    Type: None
    Detail: No valid IP addresses found for
    www.die-glueckliche-familie.info
    root@RPI-Aquarium:~#

My web server is (include version):
Apache 2.4.25 (Raspbian)

The operating system my web server runs on is (include version):
root@RPI-Aquarium:~# cat /etc/os-release
PRETTY_NAME=“Raspbian GNU/Linux 9 (stretch)”
NAME=“Raspbian GNU/Linux”
VERSION_ID=“9”
VERSION=“9 (stretch)”
ID=raspbian
ID_LIKE=debian
HOME_URL=“http://www.raspbian.org/
SUPPORT_URL=“http://www.raspbian.org/RaspbianForums
BUG_REPORT_URL=“http://www.raspbian.org/RaspbianBugs

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

my website can be reached via www.die-glueckliche-familie.info

How can I solve the problem so that I can update the certificate via certbot?

greetings
Dennis

1 Like

Welcome to the Let’s Encrypt Community, Dennis :slightly_smiling_face:

Let’s see what we can do for you… :thinking:

thank you…
i hope you can help me… :slightly_smiling_face:

1 Like

Based on https://crt.sh/?q=die-glueckliche-familie.info, it appears that there is a longstanding Let’s Encrypt certificate for www.die-glueckliche-familie.info.

The first thing I notice, which is worth noting but not likely the cause of the problem, is that your certbot version is ancient (0.28.0 vs 1.8.0).

You’re very welcome. :slightly_smiling_face:

Did you recently change your hosting configuration?

I’m checking out a couple of things related to your website. Back in a minute.

Alright, so I did some investigating.

It looks like ports 80 and 443 both appear to be closed for www.die-glueckliche-familie.info (100.123.19.126).

Is apache running?

edit: It looks like your ip address isn’t reachable globally. You might consider the suggestion in the next paragraph as both a solution and an expansion.

I also noticed that you got a wildcard certificate from DigiCert for die-glueckliche-familie.infoand *.die-glueckliche-familie.info. You can get a wildcard certificate from Let’s Encrypt, but this would require using dns-01 challenges (instead of the http-01 challenges you are accustomed to using). You would need to add txt records to your publicly-accessible dns zone. You might want to consider simply expanding your current Let’s Encrypt certificate to include die-glueckliche-familie.info and www.die-glueckliche-familie.info, which would allow you to continue using http-01 challenges and your current renewal approach.

The IP addresses from the 100.64.0.0/10 range are not publically accessible IP addresses. They are reserved for carrier grade NAT. Therefore, they can’t be used to connect to by the general public, nor by Let’s Encrypt.

1 Like

Name: die-glueckliche-familie.info
Address: 100.123.19.126

Is that Internet routable?

1 Like

No: https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml

Yes.

I’m blind. Or squint. Looked at the 10.0.0.0/8 :dizzy_face:

1 Like

He must have changed that recently. There’s a super long renewal history on crt.sh. Good catch. :slightly_smiling_face:

You’re correct.

Ah, you’re one of those :wink:

2 Likes

Here for the hard of hearing seeing:

Your eyes crossed them in together 100.0.0.0/8

1 Like

Yes yes, I saw it already :stuck_out_tongue:

In any case, @skiworker s site isn’t reachable by the world wide web, so one could ask what he/she wants with a certificate in the first place.

If he/she still wants a certificate, he/she’d need to use the dns-01 challenge.

Unfortunately, no. The IP 100.123.19.126 falls in the 100.64.0.0/10 range.

1 Like

So probably a connectivity/environmental change then?

Change of internet service provider could be the reason. Or his/hers internet service provider chose to remove global routable IPv4 addresses from their customers and move to carrier grade NAT. Perhaps to sell the now unassigned globally routable addresses for $$$? Who knows :slight_smile:

Or the customer thought it would be a good idea to downgrade their internet plan to a more cheaper option? Not knowing exactly what that “CG-NAT” abbreviation exactly meant. I have no idea if internet service providers offer that choice… But in theory, it could be the case.

1 Like

You need to consider the limited use a cert would provide you via your current IP (100.123.19.126).
It would (at most) only be visible to other clients of your ISP - not form anyone else (not from the general Internet).

But to answer your question, only a DNS validation can accomplish getting a cert via certbot.
[not sure if 0.28.0 has the required support for DNS auth / DNS API - so you may need to upgrade to 1.8.0]

1 Like

He honestly might want to move to a dns validation anyway since he got a wildcard certificate issued from DigiCert instead of his original www.die-glueckliche-familie.info only. I already recommended expanding to die-glueckliche-familie.info and www.die-glueckliche-familie.info.

Yeah that most likely the case - new provider offering more speed (but with hidden limitations).

2 Likes

And what would he do with it?

1 Like

He’s probably already got the DigiCert wildcard cert installed. We just can’t see it. :sunglasses: