No valid IP addresses found

My domain is:

I ran this command:
I'm using windows so I use win-acme installation guide. I choose the following I highlighted:

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit

Please choose from the menu: N

Running in mode: Interactive, Simple

Please select which website(s) should be scanned for host names. You may
input one or more site identifiers (comma-separated) to filter by those
sites, or alternatively leave the input empty to scan all websites.

5: EmployeeTasks (1 binding)

Site identifier(s) or to choose all:

1: (Site 5)

Listed above are the bindings found on the selected site(s). By default all
of them will be included, but you may either pick specific ones by typing the
host names or identifiers (comma-separated) or filter them using one of the
options from the menu.

P: Pick bindings based on a search pattern
A: Pick all bindings

Binding identifiers(s) or menu option: A

1: (Site 5)

Continue with this selection? (y*/n) - yes

Target generated using plugin IIS:

It produced this output:

Target generated using plugin IIS:

[] Authorizing...
[] Authorizing using http-01 validation (SelfHosting)
[] Authorization result: invalid
[] {
"type": "urn:ietf:params:acme:error:dns",
"detail": "No valid IP addresses found for",
"status": 400

My web server is (include version):
Internet Information Services (IIS) 10.0.14393.0

The operating system my web server runs on is (include version):
Windows Server 2016 Standard

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Software version (release, trimmed, standalone, 64-bit)

1 Like

The IP address behind that hostname is an address from the range:	3600	IN	A
;; Received 62 bytes from in 22 ms

That range is reserved for shared addresses, used in carrier-grade NAT for example. See also RFC 6598. Those IP addresses aren't globally routable on the internet, so Let's Encrypt can't connect to it to validate the hostname. Actually, nobody on the internet could connect to your site using that IP address.

1 Like

Actually, nobody on the internet could connect to your site using that IP address.

I get access the test side in my browser using which uses with no problems. So I'm not sure why nobody on the internet could connect to my site?

But more importantly what do I do about it? Ask my ISP for a new static IP?

Is your server on the same network as the client you're testing from? You should test from a remote location on the web. For example, sites as - Is Employeetasks Down Right Now? or employeetasks.

Please check out the links I've provided in my post.

You need a globally routable IP address.

You could ask your ISP, but there is a chance they will refuse such a request or you'll need to pay for it, since IPv4 addresses are getting scarce.

1 Like

Your right, my router told me my external IP was Which I used in my DNS with This works fine from inside my network. I didn't realise untill now it doesn't work from outside.

Using I got a another IP which is the right one I guess.

Thanks for clearing up my mistake, I feel a little embarrassed I didn't pick up on that.


If your server is running a test site saying "Test site is running", then your server is reachable indeed. Once you've changed the IP address on your hostname, you should be able to get a certificate. Which you've already done I see :slight_smile:

1 Like

Yeah thanks for your help :blush:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.