Can not renewal my expired certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

receiptwallet.app

I ran this command:

sudo /opt/bitnami/letsencrypt/lego --tls --http.port :80 --tls.port :443 --email="XXX" --domains="receiptwallet.app, www.receiptwallet.app" --path="/opt/bitnami/letsencrypt" renew --days 90

It produced this output:

2024/05/04 21:09:16 [INFO] [receiptwallet.app] acme: Trying renewal with -587 hours remaining
2024/05/04 21:09:16 [INFO] [receiptwallet.app, www.receiptwallet.app] acme: Obtaining bundled SAN certificate
2024/05/04 21:09:17 [INFO] [receiptwallet.app] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/346714551977
2024/05/04 21:09:17 [INFO] [www.receiptwallet.app] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/346714551987
2024/05/04 21:09:17 [INFO] [receiptwallet.app] acme: use tls-alpn-01 solver
2024/05/04 21:09:17 [INFO] [www.receiptwallet.app] acme: use tls-alpn-01 solver
2024/05/04 21:09:17 [INFO] [receiptwallet.app] acme: Trying to solve TLS-ALPN-01
2024/05/04 21:09:20 [INFO] [www.receiptwallet.app] acme: Trying to solve TLS-ALPN-01
2024/05/04 21:09:24 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/346714551977
2024/05/04 21:09:24 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/346714551987
2024/05/04 21:09:25 error: one or more domains had a problem:
[receiptwallet.app] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" f
or tls-alpn-01 challenge
[www.receiptwallet.app] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/
1" for tls-alpn-01 challenge
bitnami@ip-172-26-13-32:~$

My web server is (include version):

Wordpress 6, using aws lightsail

The operating system my web server runs on is (include version):
debian v11

My hosting provider, if applicable, is:
aws

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no, i'm using wordpress admin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

2

Is that the same command you used to get your earlier certs?

I see your domain is behind AWS CloudFront. Has it always been? Because I don't believe CloudFront supports TLS-ALPN. I don't know how it could route the incoming request from the Let's Encrypt server using ALPN to the system running lego. I could be wrong about CF and ALPN but it would be worth checking.

5 Likes
3

Thank you @MikeMcQ .

You are right, my domain is hosted in aws and i'm using CloudFront.

I solved the problem by disabling the CloudFront and host my domain back in the domain issuer site. And then the renewal succeeded.

3 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.