@thechildofroth whats going wrong with certbot? i have this same stack running on my server so maybe we can compare notes

@xandris When I try to get a certificate (either using dietpi-letsencrypt or directly from the prompt (as per the jellyfin instruction)) it tells me I don't have an A or AAAA record.

But when I do:
curl --verbose http://my.domain

it comes straight back with:
trying ip.of.router.im.looking.for

so curl seems to be finding the dns record ok

@thechildofroth @xandris You can try ‘dig @9.9.9.9 my.domain’ to have more information about the DNS information.
If you’ve got no answer, it’s definitely a DNS problem.

@rds @xandris So dig returns a seemingly sensible response (I can see my domain and my IP in there). The only concern is that I can see:

Query1, Answer1, Authority0, Additional1

Should Authority (I'm guessing this might be related to 'SOA') be 1 too?

(for any other rookies playing along 'dig' is in bind9-dnsutils on #Debian - not installed by default in #DietPi it seems)

@thechildofroth @rds i found this tool in the letsencrypt forum. what does it tell you?

https://letsdebug.net/

@xandris @rds The DNS test passes but the TLS one gives me the same error as when I submit with Certbot ('no valid A records for domain, no valid AAAA records for domain').

The http test fails because of: A private, inaccessible, IANA/IETF-reserved IP...replace it with a public one or use the DNS validation method instead. (and it shows my IP in the response too)

@thechildofroth @rds its claiming its a private ip?

that makes it sound like its one of 192.168... or 10... or 172.16...

https://en.m.wikipedia.org/wiki/Reserved_IP_addresses

@thechildofroth @rds does the ip actually fall into one of those ranges in the wikipedia article?

@xandris @rds Ahh, yes. It's in the range described as:

Shared address space for communications between a service provider and its subscribers when using a carrier-grade NAT

Hmm, is there a way around that (I knew didn't have a fixed IP but I was going to use my domain providers DNS API to dynamically update the IP as required.

@thechildofroth @rds i haven't looked into dynamic dns solutions (aka dyndns) in a while. you may be able to buy a static ip for a little extra fee from your isp. last time i checked your router might be able to interface with your registrar's dyndns feature. asuswrt has such a feature. server side i found:

- ddclient (perl daemon)
- ez-ipupdate
- inadyn
- updatedd

or roll your own with just curl if your registrar gives you a url:

https://gist.github.com/gbraad/e167a509a902263ed67264f346937aae

@thechildofroth @rds oh wait hold up

you have cg-nat which means you don't have a unique external address at all from what i understand. if you go to ip.me or similar, the address it shows you is shared with other customers. the gateway would have no way to know which customer an incoming connection should go to

all that to say...more research needed on how to receive connections when behind cg-nat. i think cloudflare offers something for this for free...

@xandris @rds One potentially interesting aside is that when I opened the port for Jellyfin directly, on the router, I could access jellyfin via my domain, so it does seem that the IP does lead back to me at least. But if I just have 80 and 443 open, no dice.

@xandris @rds My domain is hosted by @beasts and they provide an api (that you can set up a script to reach) that updates their DNS records programmatically. I have previously had it working so was confident I'd get to it again.

@thechildofroth @xandris @rds @beasts

If you're having trouble getting regular certbot certificates (because that requires certbot service to talk to the computer trying to get the certificates), you can try using the certbot DNS verification for certificates (because that only needs you to prove that you control the domain name, and doesn't really talk to your servers)

https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins

@double_a_runi @xandris @rds @beasts Thank you! I will give the 'manual' plugin a try today.

@double_a_runi @xandris @rds @beasts I used a very helpful guide from here: https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-dns-validation-with-acme-dns-certbot-on-ubuntu-18-04 and it appears to have worked (for the certificates at least) so now on to learning a bit more #Nginx to get my #Jellyfin server line.

Many thanks again for the very helpful nudge in the right direction!

@double_a_runi @xandris @rds @beasts I've continued to chase this around today and it does appear that there's no simple way around the CGNAT address issued by my ISP. I've reached out to them to find out what options they have to circumvent it.

@thechildofroth @double_a_runi @xandris @rds @beasts Worth checking if your ISP uses CGNAT for both IPv4 and IPv6 addresses. If you have a real IPv6 address, that might be the way to go.

@mdonkin @double_a_runi @xandris @rds @beasts There's no IPV6 address in the router control panel, although there is this article (from 2023) saying the ISP are ready and rolling it out to customers: https://www.ispreview.co.uk/index.php/2023/08/uk-broadband-isp-octaplus-confirms-ipv6-readiness.html

I wonder if there's something that I can do from my end to get upgraded?