Automatic Certificate Renewal Failing with bncert-tool

I have a website on AWS Llightsail and used the bncert-tool to create an SSL certificate. When the default renewal command attempts to run 30 days before expiration, I receive a 403 error. I have checked that Port 80 is listening and I am able to view a sample file in .well-known

I ran this command: sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt renew && sudo /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf -k graceful # bncert-autorenew

It produced this output: 2021/08/16 13:00:01 [INFO] [] acme: Trying renewal with 677 hours remaining
2021/08/16 13:00:01 [INFO] [,] acme: Obtaining bundled SAN certificate
2021/08/16 13:00:02 [INFO] [] AuthURL:
2021/08/16 13:00:02 [INFO] [] AuthURL:
2021/08/16 13:00:02 [INFO] [] acme: authorization already valid; skipping challenge
2021/08/16 13:00:02 [INFO] [] acme: Could not find solver for: tls-alpn-01
2021/08/16 13:00:02 [INFO] [] acme: use http-01 solver
2021/08/16 13:00:02 [INFO] [] acme: Trying to solve HTTP-01
2021/08/16 13:00:08 [INFO] Skipping deactivating of valid auth:
2021/08/16 13:00:08 [INFO] Deactivating auth:
2021/08/16 13:00:09 [INFO] Unable to deactivate the authorization:
2021/08/16 13:00:09 error: one or more domains had a problem:
[] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from [2600:9000:2048:8600:1f:c01c:5f40:21]: "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\nAccessDeniedAccess DeniedMFWJKHYZ083NC0"

Diagnostic tool code:

The error message says your domain is redirecting to, so that needs to be a service that you run (like a linux vm or container etc). To me that looks more like an S3 bucket, in which case you need to be able to make public http requests to perform http validation and lego needs to write the http validation response to that storage.

If you are using AWS Route53 for dns I would recommend using DNS validation instead of http validation, if http validation is going to be difficult.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.