Cannot negotiate ALPN protocol

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.welovebotanicals.com/

I ran this command: sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="wlb@gmail.com" --domains=“welovebotanicals.com” --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start

It produced this output: “identifier”: {
“type”: “dns”,
“value”: “www.welovebotanicals.com
},
“status”: “invalid”,
“expires”: “2020-02-07T19:17:52Z”,
“challenges”: [
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Cannot negotiate ALPN protocol “acme-tls/1” for tls-alpn-01 challenge”,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2573877916/yNxAJg”,
“token”: “LeJ3oP7-3BtfFn_EFdMjlc5hSxJMaj2_nN_8rjcWTV0”,
“validationRecord”: [
{
“hostname”: “www.welovebotanicals.com”,
“port”: “443”,
“addressesResolved”: [
“104.31.83.14”,
“104.31.82.14”,
“2606:4700:3033::681f:530e”,
“2606:4700:3033::681f:520e”
],
“addressUsed”: “2606:4700:3033::681f:530e”

My web server is (include version): bitnami-wordpress

The operating system my web server runs on is (include version): linux-debian

My hosting provider, if applicable, is: Google cloud platform

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): cert bot not installed

I used this tutorial to set up the site https://www.youtube.com/watch?v=cG9kv5-5bPI I have cloudflare set as my cdn the domain is thru godaddy

1 Like

You can’t use TLS-ALPN (lego's --tls option) when your domain is going through Cloudflare’s proxy. Cloudflare doesn’t allow non-HTTP ALPNs to pass through its CDN.

I notice that you’ve now disabled the Cloudflare proxy on your domain, since creating your post.

If you try again, I suspect it should now work.

1 Like

Success! I disabled that over a hour ago had tried multiple times to no success just tried it again after your post and it worked. Is there a way to make it to auto renew?

1 Like

There’s a guide to setting up automatic renewal using Bitnami + lego here: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#step-5-renew-the-let-s-encrypt-certificate

Keep in mind, this is only going to work if you keep the Cloudflare proxy off. If you turn it back on, renewal will fail. If you want to keep it on, you will need to investigate using the --http.port or --http.webroot option in place of the --tls one (more info here).

2 Likes

Thank You for the info!

1 Like