"No valid IP addresses found" - what does that mean?

PMc · November 18, 2021, 2:15pm

My domain is: daemon.contact

I ran this command: certbot certonly
Requesting a certificate for moon.daemon.contact

It produced this output:
Domain: moon.daemon.contact
Type: dns
Detail: No valid IP addresses found for moon.daemon.contact

I don't understand this. The IP address is configured (at porkbun.com) just like the other subdomains that do work.
It resolves whereever I can try. And with "dig" I don't see a difference to others.
Access to the root directory on the webserver should also work on port 80 (and you should see a "not connected" message).

What could that error mean?

petercooperjr · November 18, 2021, 2:23pm

Hmm… I don't see anything wrong in a quick check myself. DNSViz and Unboundtest look good to me.

Might you have just recently updated the IP or something when you tried, and not all of your authoritative DNS servers might have had it yet? Can you try again (with --dry-run for testing purposes) and see if you get the same thing? Or have you already tried multiple times?

PMc · November 18, 2021, 3:05pm

9 days ago. That should be settled.

dry-run runs successful. Second try now also ran successfully. Strange. But we won't find the root-cause now.

My belly-feeling points to the porkbun nameservers. I had problems with them before, hitting the max-100-recursions limit. But they deny that they have a problem, and this one should only hit when one has either ipv4 or v6 not properly working.

Thanks for cross-checking!

petercooperjr · November 18, 2021, 3:13pm

Well, certainly could be. You asked what the message means, but it's basicaly just what it says: It asked for A & AAAA records, and didn't get any public IPs that it could use. (The most common case when somebody sees it is that they're using private IP space, like from RFC 1918 or 6598, but that didn't seem to be your problem.) But it also didn't get, like a SERVFAIL or an error connecting to the DNS server, or there would be a different message saying so. The message means that the Let's Encrypt server did get a response, it just didn't have any IP addresses that it could use. But without some sort of logs on the DNS server side, if it's all working now I'm not sure what else you can do.

PMc · November 18, 2021, 4:26pm

That sounds better than with most software I look into.

I do. At the point when I am sure that I know what I am doing (e.g understanding dnssec), I will pull these authoritative servers into my own rabbithole. Then there will be logs.

Thanks again!

rg305 · November 18, 2021, 5:15pm

Might be unrelated in this case, but these settings lend themselves to slow DNS propagation:

        primary name server = maceio.porkbun.com
        responsible mail addr = support.porkbun.com
        serial  = 1
        refresh = 10800 (3 hours)   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
        retry   = 3600 (1 hour)     <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)

And I also love how they hide the actual sync status with "serial = 1"
[that does more harm than good - when troubleshooting is needed]

system · December 18, 2021, 5:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.