Bncert renewal failed with TLS handshake error

My Let's Encrypt cert expired and I went to try and renew it using 'sudo /opt/bitnami/bncert-tool'. It rolls through domains, contact email and confirmation. When it runs an error comes up (paste below). Any suggestions welcome!

An error occurred renewing certificates with Let's Encrypt:


2024/06/15 13:13:12 [INFO] [gymist.co.uk] acme: Trying renewal with -29 hours 
remaining
2024/06/15 13:13:12 [INFO] [gymist.co.uk, www.gymist.co.uk] acme: Obtaining 
bundled SAN certificate
2024/06/15 13:13:13 [INFO] [gymist.co.uk] AuthURL: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/363352580177
2024/06/15 13:13:13 [INFO] [www.gymist.co.uk] AuthURL: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/364283107647
2024/06/15 13:13:13 [INFO] [gymist.co.uk] acme: authorization already valid; 
skipping challenge
2024/06/15 13:13:13 [INFO] [www.gymist.co.uk] acme: use tls-alpn-01 solver
2024/06/15 13:13:13 [INFO] [www.gymist.co.uk] acme: Trying to solve TLS-ALPN-01
2024/06/15 13:13:22 http: TLS handshake error from 152.37.68.88:38421: tls: 
client requested unsupported application protocols ([h2 http/1.1])
2024/06/15 13:13:22 http: TLS handshake error from 152.37.68.88:39202: tls: 
client requested unsupported application protocols ([h2 http/1.1])
2024/06/15 13:13:22 http: TLS handshake error from 152.37.68.88:37443: tls: 
client requested unsupported application protocols ([h2 http/1.1])
2024/06/15 13:13:22 http: TLS handshake error from 152.37.68.88:40238: tls: 
Press [Enter] to continue:
client requested unsupported application protocols ([h2 http/1.1])
2024/06/15 13:13:22 http: TLS handshake error from 152.37.68.88:40239: tls: 
client requested unsupported application protocols ([h2 http/1.1])
2024/06/15 13:13:22 http: TLS handshake error from 152.37.68.88:37574: tls: 
client requested unsupported application protocols ([h2 http/1.1])

It's on AWS Lightsail, Bitnami, Apache

My domain is: gymist.co.uk

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Welcome to the community @Gymist

Usually both domains name have the same IP. Is it intentional they are different?

nslookup gymist.co.uk
Address: 13.42.98.221

nslookup www.gymist.co.uk
Address: 18.168.99.48
3 Likes

@Gymist

Nmap results for 13.42.98.221:
Nmap scan report for ec2-13-42-98-221.eu-west-2.compute.amazonaws.com (13.42.98.221)
Host is up (0.16s latency).
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

That would be:	gymist.co.uk 

On the other hand:

Nmap results for 18.168.99.48:

That would be:	www.gymist.co.uk 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-15 16:45 PDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds

So you have 2 (two) IP's... one for your apex domain (gymist.co.uk)
And one for a subdomain.. (www.gymist.co.uk )

Is there any reason why you would split the IP addresses this way? There has to be a motivation of some kind that eludes me.

And your DNS shows:

Please enter a domain: gymist.co.uk 
A records for gymist.co.uk : Domain does not exist
AAAA records for gymist.co.uk : Domain does not exist
MX records for gymist.co.uk : Domain does not exist
NS records for gymist.co.uk : Domain does not exist
CNAME records for gymist.co.uk : Domain does not exist
TXT records for gymist.co.uk : Domain does not exist
SOA records for gymist.co.uk : Domain does not exist

Please enter a domain: www.gymist.co.uk
A records for www.gymist.co.uk: ['18.168.99.48']
AAAA records for www.gymist.co.uk: No record found
MX records for www.gymist.co.uk: No record found
NS records for www.gymist.co.uk: No record found
CNAME records for www.gymist.co.uk: No record found
TXT records for www.gymist.co.uk: No record found
SOA records for www.gymist.co.uk: No record found

So what gives here? Please provide us more information so we can help you resolve the issue.

Might help also to have a look at your vhost configuration files...

2 Likes

Wow that's fast replies. Thanks, guys!

No reason for differing IPs. In my rapid panic for the site being insecure, I used Certbot to try and renew the cert. It created a cert but then asked to install an SSL plugin on the wordpress install but couldn't get the plugin to work. So, I used an earlier snapshot (pre-certbot) to create a new instance. I've removed the A record that pointed to the old IP.

Unsure why the apex domain isn't showing records though, it has CNAMES, TXT, A, NS, SOA and MX

3 Likes

Not sure why either. @Rip will have to explain.

My post showed an A record for apex and www subdomain. Not sure why his queries showed different.

I see the two A records are now the same. But, I can't connect to either name with HTTP or HTTPS

A CNAME on the apex? I don't think so :slight_smile:

But, yes, I see the others.

2 Likes

Who do I buy a beer? Cleaning up the records allowed me to successfully run bncert. Thanks guys!

2 Likes

No valid explanation or excuse. Looks like I had a temporary NS failure that I can't reproduce.

2 Likes

@Gymist I see with @MikeMcQ 's help you have fixed up your DNS and obtained a cert! Good on you!
I have noticed a possible issue with your redirect...
curl -w "%{url_effective}\n" -L www.gymist.co.uk -o /dev/null

Enter the domain name or IP address: www.gymist.co.uk
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   228  100   228    0     0    642      0 --:--:-- --:--:-- --:--:--   642
100  124k    0  124k    0     0  96388      0 --:--:--  0:00:01 --:--:-- 96388
http://gymist.co.uk/

Notice the final destination is http:// gymist.co.uk/ ?
Unless this is intentional, you might want to change the redirect to https://
;@)

3 Likes

Agree but redirecting www to the base name isn't the worst.

But, the http://gymist.co.uk doesn't redirect to HTTPS either.

If that redirect was fixed then all end up at the same place. And, it should be fixed anyway even if you change the redirect for HTTP://www

3 Likes

I concur... Absolutely. Easy but necessary fix.
EDIT: Personally I like redirecting to apex.. much "cleaner", IMHO.

3 Likes

Thanks for the note! Fixed the redirect.

3 Likes

Your certs and all redirects look good !

3 Likes

GOOD JOB!!
@MikeMcQ and @Gymist you guys are great and everything looks like it should.
Good on you!

3 Likes