Let's Encrypt Error: No Valid IP Addresses Found

Pioneer Support
1

Hello all,

  • My FreedomBox is plugged into my home’s router, both of which are in my room.
  • I bought it early last year, around March or April.
  • Its version is 20.21 with Debian GNU/Linux 10 (Buster).

I can’t get Let’s Encrypt to obtain a certificate for my domain. Let’s say it’s called example.freedombox.rocks. Here’s the error message:

Failed to obtain certificate for domain example.freedombox.rocks: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for example.freedombox.rocks Using the webroot path /var/www/html for all unmatched domains. Waiting for verification… Cleaning up challenges Failed authorization procedure. example.freedombox.rocks (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for example.freedombox.rocks

Here’s what I remember doing to get to this point:

  • I set my router to forward ports 80 (HTTP) and 443 (HTTPS).
  • I set my FreedomBox’s domain name to example.freedombox.rocks.
  • I enabled and configured Dynamic DNS to use GnuDIP as the service type and gnudip.datasystems24.net as the GnuDIP server address.
  • I found my FreedomBox’s IP address and used GnuDIP Web Interface to point example.freedombox.rocks to it.

Currently, I can access example.freedombox.rocks on my GNU+Linux laptop via wireless connection, and on one of my Windows desktops via wired connection, both of which are in my room and connected to my home’s router. However, it’s inaccessible via Tor and my VPN. Strangely, I can’t even access it on my other Windows desktop in a room next to mine via wired connection to my home’s router, even without Tor and my VPN.

Any ideas on where to go from here? I’m stumped. :man_shrugging:

2

How to troubleshoot connection problems?

[There is a need to have something that answers that in a more visible FAQ https://wiki.debian.org/FreedomBox/QuestionsAndAnswers, and there are links missing to the FAQ on freedombox.org and in this forum.]

The ideas I chip in:

Name Resolution

  • Check the error message when entering your freedombox domain in the browser (within the internal network and from an outside internet connection).
    • Note, the extenal IP, and thus the public domain name, can only work internally if the router readily supports this, or is configured to do some redirecting or forwarding. Not sure how this routing feature is named.
  • Check the IP that gets returned for the dynamic DNS entry of your domain: host <your-freedombox-domain-name>

Router:

  • Is the port forwarding configuration correct and (still) there?
  • Manual port forwarding or opening can conflict with a “DMZ Host” setting. Try only one at a time.
  • Check the current external IP of your router in its configuration interface. This is the IP that must get returned for the public dynamic DNS entry above.
    If not, it could be the IP is old and dns updating is not working, or that it points to yet another involved party, a Carrier-grade-NAT.

Carrier-grade network address translation (CGN or CGNAT)

3

After some more dabbling, I finally I gave my ISP a call and was told they use CGNAT. :man_facepalming: So, it’s time to either get myself a public IP address or PageKite account. I’ll report back if I run into difficulties. Thank you very much for the help! :+1: