Unable to obtain certificate for domain

I am trying to install letsencrypt for hage.vegafjord.me using freedombox, but get an error message. I received a log, but I don't understand it's content.

Expected Results
Expect to get a certificate.

Actual results
An error message.

Screenshot

Screenshots on my cloud, because I couldn't add them to this post:

I also have another screenshot displaying the message shown in the freedombox.

Information
Device: Pioneer Freedombox
My web server is (include version): Freedombox (don't know how to check version)
The operating system my web server runs on is (include version): Debian v11.2
My domain is: https://hage.vegafjord.me
My hosting provider, if applicable, is: myself
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): unsure
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): unsure

Hi @vegafjord, and welcome to the LE community forum :slight_smile:

Please get your IP address:
curl -6 ifconfig.co

and compare that IP to the output of:
nslookup hage.vegafjord.me

3 Likes

I get this as a result:

vegafjord@freedombox:~$ curl -6 ifconfig.co
[ipv6 address = A]
vegafjord@freedombox:~$ nslookup hage.vegafjord.me
Server:         [local ipv4 address = B]
Address:        [local ipv4 address = B]#[port]

Non-authoritative answer:
Name:   hage.vegafjord.me
Address: [ipv6 address = A]

vegafjord@freedombox:~$

I'm pretty sure that's not the literal output of those commands. Please post the exact output.

3 Likes

I have to censor the ip-address.

Why? From the screenshots it seems your client is using the http-01 challenge, so the IP address needs to be public for the challenge to be validated anyway...

4 Likes

I don't understand what you are saying. Could you explain as if I don't know letsencrypt?

To obtain a certificate for a certain hostname, Let's Encrypt needs to know the requesting party is actually the owner of that hostname, so a challenge needs to be performed. See How It Works - Let's Encrypt for more info about that. One of the three possible challenges (see Challenge Types - Let's Encrypt for info about those three challenge types) is the http-01 challenge, which requires a (HTTP) connection from the LE validation servers to a webserver running on the host.

To make that HTTP connection, it's obviously necessary for LE to be able to resolve the hostname to an IP address. Without the IP address, no HTTP connection. So your hostname needs to be publicly resolvable to the correct IP address of the host.

3 Likes

I still don't understand, but here you go anyways.

vegafjord@freedombox:~$ curl
curl: try 'curl --help' or 'curl --manual' for more information
vegafjord@freedombox:~$ curl -6 ifconfig.co
2a01:799:3da:6c00:a317:99b5:caa2:78b6
vegafjord@freedombox:~$ nslookup hage.vegafjord.me
Server:         192.168.10.1
Address:        192.168.10.1#53

Non-authoritative answer:
Name:   hage.vegafjord.me
Address: 2a01:799:3da:6c00:a317:99b5:caa2:78b6

vegafjord@freedombox:~$

I can't reach 2a01:799:3da:6c00:a317:99b5:caa2:78b6 in any way (ping, port 80, port 443). Does that host accept incoming connections from the internet?

(I realise now that your host is IPv6 only, which is fine, but I didn't notice that so I didn't try a dig for the AAAA record. Now I see the hostname can resolve to the AAAA record indeed. Due to DNS your IP address was public anyway, so redacting it was useless to begin with :wink:)

5 Likes