Trying to set up an ASUS RT-AX86U; Stuck in Authorizing"

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: Running from DDNS page on router

It produced this output: Authorizing

My web server is (include version): ASUS RT-AX86U

The operating system my web server runs on is (include version):Official firmware release

My hosting provider, if applicable, is:WWW.ASUS.COM

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Unfortunately, if this is your Internet IP (below), you won't be able to get a cert via HTTP authentication.
And even if you do get a cert via any other method, only a very small part of the Internet will be able to see your site.


That IP is within the CGNAT CIDR: 100.64/10

1 Like

Thank you for the reply. I have no idea where that IP came from; in fact, I have no idea what "CGNAT CIDR" means, but I assume it is not good.

My IP, according to is I've has MetroNet for more than a year now and, as far as I know, the external IP has not changed. Do you have any suggestions? Should I try another host name?

Many thanks,

  • Tim -

You need to have the IP updated then - not sure how that happens with ASUS.

1 Like

Yeah, I was afraid of that. ASUS Support seems to be non-existent.

  • Tim -

Note that sites such as probably will find the CG-NAT endpoint of your internet service provider, if CG-NAT is being used. This is due to the fact that the source IP address from the TCP connection has been altered from your IP address to the ISP IP address: that's the whole NAT part of CG-NAT.

(Unless those sites use fancy client side scripts to somehow manage to retrieve the IP address from the local network/router or something, but I wouldn't know how..)

It's probably a good idea to check directly in your routers menu to see what IP address it has received from your ISPs DHCP server.


You are exactly correct. My router got the 100 IP from MetroNet. I've contacted them and they say they can provide a static IP for an additional $10/month. That ain't gonna happen.

I'll try a factory reboot on my router and see it that helps.

1 Like

It's unlikely to help; public IPv4 addresses are getting pretty expensive. It's getting more and more common for ISPs to only provide residential connections with a public address if one pays more for it.


If you really require a Let's Encrypt certificate, you might be able to use the dns-01 plugin. By using the DNS, it doesn't require inbound HTTP connections for the validation.

However, with inbound HTTP and HTTPS connections not working due to CG-NAT, the usage for a Let's Encrypt certificate is also pretty close to zero.


Thank you all for your help and advice. Peter is correct - a factory reset did nothing. I reinstalled my old router and it too get to infamous "" IP. Looks like I'll take advantage of Metronet's offer of "one free year of static IP", then decide if I really need it badly enough to pay the additional $10/month or look for a different ISP.

Thank you all once again.

-Tim -

1 Like

For $10/month (or less) you could host your content on a server on the Internet.


Yes, I suppose so, but now that I'm retired, I mainly need access from outside my home network for my Security cameras. While I do have a workaround (quickconnect to my DSM), it would be nice to have more flexibility. I'll try tit for the free year, then we'll see.

Thanks again for putting me onto the underlying problem.

BTW - this is a fairly recent (unannounced) change by my ISP. Never had this issue before.

  • Tim -
1 Like

I see your problem now.
I can't think of any way to get inbound connections without having a real IP (sorry).

Likely, somewhere in the fine print they can do this without consent nor any notice/warning.
[so sad - bad business]

On a brighter note: Have you looked into using an IPv6 address instead?
[they are usually FREE and well supported these days]
[warning: advanced networking topic (not for beginners)]


I'd argue that in many ways IPv6 is easier for beginners, because you don't generally need to deal with this NAT (and multiple-NAT) most IPv4 implementations have nowadays. For many consumer routers it's just built-in, where it gets an IPv6 prefix, announces it your network, and all your devices just automatically configure themselves. Then all you need to do is open the firewall ports on the router to the right places, rather than the trying to map outside ports to inside addresses that a NAT-ing IPv4 router would need.

But that, of course, is assuming that one's ISP is being competent, which may be a dubious assumption.

1 Like

In the scale from:
secure - - - - - - - - simple
I would always chose secure.
Yes, IPv6 might be simpler - but that just means (normally) it happens at the expense of security.
Not that IPv6 can't be secured - it just means you have to work a bit harder to get it both simple (enough) & secure (enough).

1 Like

Hey Guys, I'm back with an update. I finally got my static IP and nslookup shows the correct IP: = Unfortunately, my router still shows the Server Certificate Status as "Authorizing". Is there a time lag of this to finalize?

  • Tim -

Yes, the nslookup looks good but nothing is responding to http requests to that address. Lets Debug has some suggestions and is a good tool. It will need to report success to use an http challenge. Note it says you are currently rate limited. See it's info for details. Use the re-run test on this result page to refresh results after you change things (or wait for limit to expire).

Ok, now I'm down to just the "Rate Limited" error, but still in "Authorizing". Anything more I can try?

Yes, try using the test/staging environment.
Once all testing has been successfully completed, then switch back to the production environment.

I have no idea how to go about that. I don't have a "test/staging" environment and if Let's Encrypt does, I don't have access.