No valid IP found (http-01)

I am new to certbot and getting issues. I am sharing my details here for a test class project, please help me out to understand what is wrong.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: foriox.ml

I ran this command: /etc/cron.daily/certbot-renewal
(Instructions available :- https://www.exratione.com/2019/02/a-mailserver-on-ubuntu-18-04-postfix-dovecot-mysql/)

It produced this output:No valid IP addresses found for mail.foriox.ml

My web server is (include version): Apache2 2.4.29-1ubuntu4 (assuming as httpd -v not working)

The operating system my web server runs on is (include version): Ubuntu 18.04 Bionic Beaver

My hosting provider, if applicable, is: myfreenon.com

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No control panel is used or I am not aware of

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Version 0.27.0

From my domain provider under DNS management I pointed the A records (both mail.foriox.ml and foriox.ml) to my server IP.

When I used the command to create the certificate ( etc/cron.daily/certbot-renewal
/ Instructions available :- https://www.exratione.com/2019/02/a-mailserver-on-ubuntu-18-04-postfix-dovecot-mysql/), I am getting failed authorization procedure : No valid IP addresses found for mail.foriox.ml).

I did NSLOOKUP and PING, mail.foriox.ml and foriox.ml are resolving to my server IP. as i mentioned earlier I am new, please help me figure out what is wrong here.

Thanks,
Dan

This domain has the IP 172.23.227.86. That's a private IP address, so Let's Encrypt can't connect to it to verify ownership. If you want to get a Let's Encrypt cert for this domain, it either needs to have a public IP, or you need to use the DNS challenge: Challenge Types - Let's Encrypt

Thank you, i missed that my IP is private. I will give DNS challenge a shot or try to use my public IP and connect back here if i still get the issue.

If you want other mail servers on the world wide web connecting to your mailserver (so you can actually receive e-mail), you’d need to put a public IP address in the DNS record anyway. Although I see it’s for a “test class”, so perhaps that’s not required.

I did point the public IP address in my DNS record. https://dnschecker.org/#A/www.foriox.ml does point to the public IP.

I have opened port 80 and 443 on my server. I am getting error :- Timeout during connect (likely firewall problem). Though my firewall status does indicate 80 and 443 are allowed/open.

I am not sure what is going wrong.

When i am using manual DNS method to get the certificate, i am getting :-
Could not choose appropriate plugins: Too many flags settings configurators/installers/authenticators ‘webroot’ --> 'manual
Too many flags settings configurators/installers/authenticators ‘webroot’ --> ‘manual’

Command used:- certbot certonly --manual --preferred-challenges dns -d foriox.ml

Hi @dagraves

there is no answer - see https://check-your-website.server-daten.de/?q=foriox.ml#url-checks

Only timeouts.

If your server works internal (curl http://foriox.ml/.well-known/acme-challenge/1234), it's a wrong router configuration or a blocking firewall.

Looks like you somewhere also had --webroot mentioned. Your latest command should work.

( curl http://foriox.ml/.well-known/acme-challenge/1234 ) this is stating curl (7) Failed to connect to foriox.ml port 80: Connection refused.

You’re correct, something is blocking the connection. I have UFW firewall and port 80 and 443 are allowed in it. Am i missing anything?

Whenever i try this command it says “Timeout during connect (likely firewall problem)”. Not sure why it’s getting blocked, port 80 and 443 are open on my system via UFW firewall

Also in your modem and/or router?

Looks like a home server. Allows your ISP port 80?

Some ISP block port 80.

Your newest check says: Not the domain, not the ip answers.

PS: Oh, that looks good:

D:\temp>tracert 73.222.22.239

1 <1 ms <1 ms <1 ms fritz.box [192.168.0.1]
2 5 ms 4 ms 4 ms p3e9bf075.dip0.t-ipconnect.de [62.155.240.117]
3 101 ms 120 ms 100 ms was-sa2-i.WAS.US.NET.DTAG.DE [62.154.5.106]
4 * 100 ms 100 ms was-sa2-i.WAS.US.NET.DTAG.DE [62.154.5.106]
5 106 ms 101 ms * 80.150.169.198
6 101 ms 101 ms 100 ms be-2107-cs01.ashburn.va.ibone.comcast.net [96.110.32.185]
7 102 ms 102 ms 101 ms be-1111-cr11.ashburn.va.ibone.comcast.net [96.110.32.106]
8 114 ms 115 ms 114 ms be-301-cr11.56marietta.ga.ibone.comcast.net [96.110.32.1]
9 115 ms * 115 ms be-1111-cs01.56marietta.ga.ibone.comcast.net [96.110.32.5]
10 130 ms 114 ms 114 ms be-1114-cr14.56marietta.ga.ibone.comcast.net [96.110.34.242]
11 126 ms 126 ms 125 ms 96.110.32.218
12 128 ms 129 ms 128 ms be-1212-cs02.houston.tx.ibone.comcast.net [96.110.46.117]
13 128 ms 127 ms 133 ms be-1213-cr13.houston.tx.ibone.comcast.net [96.110.46.122]
14 169 ms 156 ms 157 ms 96.110.37.190
15 161 ms 162 ms 161 ms be-11525-cr01.9greatoaks.ca.ibone.comcast.net [68.86.84.150]
16 * 166 ms 164 ms be-7922-rar01.hayward.ca.sfba.comcast.net [68.86.91.66]
17 164 ms 164 ms 164 ms 162.151.79.158
18 162 ms 161 ms 162 ms lag2-acr13.santaclara.ca.sfba.comcast.net [96.110.179.86]
19 175 ms 172 ms 188 ms c-73-222-22-239.hsd1.ca.comcast.net [73.222.22.239]

So the ip is online and answers.

May be your router blocks port 80.

Or the port forwarding is wrong.

PPS: Works your webserver internal?

curl http://www.foriox.ml/ 
curl http://73.222.22.239/

from that machine?

I do not have access to my modem and l\router unfortunately. But there is no restrictions i.e. any rule added to the router

I have XFINITY, i will have to check if my ISP block port 80.

PS: My DNS has A records pointing to 73.222.22.239 (www and blank)

curl http://www.foriox.ml/
It says the same as below
curl http://73.222.22.239/
It is pulling an HTML doc “-https://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd” Titkle “XFINITY” i think it’s asking to login to make changes.

Unfortunately i do not have access to the router. Any alternative if the router is the cause?

Without a port map in your router, your router doesn’t know how to forward the TCP packets from the internet to your internal IP address.

Perhaps this guide helps: https://www.xfinity.com/support/articles/port-forwarding-xfinity-wireless-gateway

Hi all,

A quick update:

I moved my server to GCP Cloud and I have a public IP [35.235.111.128 ] for the VM. I entered all the details in my DNS (https://my.freenom.com/) as below:

A record: Name: Blank Type: A TTL 3600 Target 35.235.111.128
A record: Name: WWW Type: A TTL 3600 Target 35.235.111.128

MX record Name: Blank Type :MX TTL 3600 Target mail.foriox.ml
MX record Name: Mail Type :MX TTL 3600 Target mail.foriox.ml

I believed that since my IP is now Public to the VM and registered on my DNS then Letsencrypt should be able to reach complete the challenge. I am still getting the below error:

Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.foriox.ml (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for mail.foriox.ml
IMPORTANT NOTES:

• The following errors were reported by the server:
  Domain: mail.foriox.ml
  Type: None
  Detail: No valid IP addresses found for mail.foriox.ml

Please let me know if i am missing anything. I need to get it resolved ASAP. Thanks

I can see foriox.ml at 35.235.111.128 though it is, of course, not serving a useful certificate yet.

I do not get any DNS records for mail.foriox.ml.

Screenshot_20200823-212824_Samsung Internet1440×3040 499 KB

Screenshot_20200823-213205_Samsung Internet1440×3040 512 KB

Screenshot_20200823-213150_Samsung Internet1440×3040 280 KB

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: foriox.ml

I ran this command: /etc/cron.daily/certbot-renewal (Instruction available on https://www.exratione.com/2019/02/a-mailserver-on-ubuntu-18-04-postfix-dovecot-mysql/)

It produced this output:
Failed authorization procedure. mail.foriox.ml (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresse
s found for mail.foriox.ml
IMPORTANT NOTES:

• The following errors were reported by the server:
  Domain: mail.foriox.ml
  Type: None
  Detail: No valid IP addresses found for mail.foriox.ml
  postfix: unrecognized service
  dovecot: unrecognized service

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 18.04 Bionic

My hosting provider, if applicable, is: GCP Google Cloud

I can login to a root shell on my machine (yes or no, or I don’t know): Yes I can

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No control panel , Only GCP ( If GCP has one, i am unaware of)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):0.27.0

The last resource record isn't correct and leads to this result:

mail.foriox.ml. 3600 IN MX 0 mail.foriox.ml.

I'm pretty sure you don't need email addresses like example@mail.foriox.nl, because that's what you did just now (although without an A record nothing is going to happen..)

You'll need to remove the MX record and add an A record for mail.foriox.ml also pointing to your IP address.

That's almost exactly what I was thinking, but I didn't want to presume anything. I figured the MX record should just be for foriox.ml. Wouldn't it also make more sense just to use a CNAME for the www rather than another A?

Hmm, I thought there were rules for MX records and CNAMEs. A record is always safe