Automatic Certificate Renewal Failing with bncert-tool

I have a website on AWS Llightsail and used the bncert-tool to create an SSL certificate. When the default renewal command attempts to run 30 days before expiration, I receive a 403 error. I have checked that Port 80 is listening and I am able to view a sample file in .well-known

I ran this command: sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="myname@email.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=domain.com renew && sudo /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf -k graceful # bncert-autorenew

It produced this output: 2021/08/16 13:00:01 [INFO] [kitchensaver.biz] acme: Trying renewal with 677 hours remaining
2021/08/16 13:00:01 [INFO] [kitchensaver.biz, www.kitchensaver.biz] acme: Obtaining bundled SAN certificate
2021/08/16 13:00:02 [INFO] [kitchensaver.biz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/21771018440
2021/08/16 13:00:02 [INFO] [www.kitchensaver.biz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/22348728110
2021/08/16 13:00:02 [INFO] [kitchensaver.biz] acme: authorization already valid; skipping challenge
2021/08/16 13:00:02 [INFO] [www.kitchensaver.biz] acme: Could not find solver for: tls-alpn-01
2021/08/16 13:00:02 [INFO] [www.kitchensaver.biz] acme: use http-01 solver
2021/08/16 13:00:02 [INFO] [www.kitchensaver.biz] acme: Trying to solve HTTP-01
2021/08/16 13:00:08 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/21771018440
2021/08/16 13:00:08 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/22348728110
2021/08/16 13:00:09 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/22348728110
2021/08/16 13:00:09 error: one or more domains had a problem:
[www.kitchensaver.biz] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://d3h48bcywyk9z1.cloudfront.net/TVsqZvAtNGLd7G81yfi2peqCALZnMLJ1xrY6L-VP2hs [2600:9000:2048:8600:1f:c01c:5f40:21]: "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\nAccessDeniedAccess DeniedMFWJKHYZ083NC0"

Diagnostic tool code:
b613421d-da3b-c27f-2121-63a38611f81d

The error message says your domain is redirecting to https://d3h48bcywyk9z1.cloudfront.net, so that needs to be a service that you run (like a linux vm or container etc). To me that looks more like an S3 bucket, in which case you need to be able to make public http requests to perform http validation and lego needs to write the http validation response to that storage.

If you are using AWS Route53 for dns I would recommend using DNS validation instead of http validation, if http validation is going to be difficult.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.