Cannot negotiate ALPN protocol traefik

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: muneratifaes.it

I ran this command: I'm using a docker-compose file to create a wordpress site

It produced this output:

time="2021-04-13T09:14:58Z" level=error msg="Unable to obtain ACME certificate for domains "muneratifaes.it": unable to generate a certificate for the domains [muneratifaes.it]: error: one or more domains had a problem:\n[muneratifaes.it] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url: \n" rule="Host(muneratifaes.it)" routerName=wordpress@docker providerName=letsencrypt.acme

My web server is (include version):
I'm using the docker image provided from dockerhub.com

The operating system my web server runs on is (include version):
Debiano 10 buser

My hosting provider, if applicable, is:
Gandi VPS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

--

Long description of the problem:

I have a wordpress docker-compose.yml file that is working. Initially I tried with the domain blog.muneratifaes.it and it works fine, I've also an Odoo docker image that works fine and both of the domains have a valid certificate.

When I try to run the docker file changing the domain from blog. to muneratifaes.it this doesn't work and traefik tells me "Cannot negotiate ALPN protocol".

Till few hours ago the domain muneratifaes.it was hosted on a rasberry in my home, so i thought the problem was that there was already a valid certificate. I deleted the certificate on the raspberry but nothing changed.

2

Hi @ekido

your configuration looks buggy, see https://check-your-website.server-daten.de/?q=muneratifaes.it

You have ipv4 and ipv6:

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
muneratifaes.it A 46.226.107.226 Paris/Île-de-France/France (FR) - GANDI is an ICANN accredited registrar Hostname: xvm-107-226.dc0.ghst.net yes 1 0
AAAA 2001:bc8:4::2 Clichy-sous-Bois/Île-de-France/France (FR) - Online S.A.S. yes

But checking http + /.well-known/acme-challenge/random-filename ipv4 answers with a redirect, ipv6 with a http status 404 - Not Found.

Your blog has only ipv4.

Looks like ipv6 isn't configured.

That's fatal because Letsencrypt prefers ipv6 checking your domain.

  • Remove the ipv6 (or, better)
  • fix it, so your website works with ipv6
1 Like
3

Thanks!
I'll try this way

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.