Cannot Renew certificate and showing error while trying to re-install

My domain is: https://civilminingsafety.com.au/

I ran this command: ```
sudo lego --tls --email="kiran@briksinfotech.com" --domains=“civilminingsafety.com.au” --domains=“www.civilminingsafety.com.au” --path="/etc/lego" run

It produced this output:
[INFO] [civilminingsafety.com.au, www.civilminingsafety.com.au] acme: Obtaining bundled SAN certificate
2019/05/14 02:49:08 [INFO] [civilminingsafety.com.au] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/EJB
Ckx7Qf71XELeknOzVPoIwZy68YFOCOSvGVmj6-0w
2019/05/14 02:49:08 [INFO] [www.civilminingsafety.com.au] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/qKxSIoINRvL1JvlnYNPqC8xdyhnDt-GM8K4Wfmsw-9s
2019/05/14 02:49:08 [INFO] [civilminingsafety.com.au] acme: use tls-alpn-01 solver
2019/05/14 02:49:08 [INFO] [www.civilminingsafety.com.au] acme: use tls-alpn-01 solver
2019/05/14 02:49:08 [INFO] [civilminingsafety.com.au] acme: Trying to solve TLS-ALPN-01
2019/05/14 02:49:14 [INFO] [www.civilminingsafety.com.au] acme: Trying to solve TLS-ALPN-01
2019/05/14 02:49:22 [INFO] Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz/EJBCkx7Qf71XELeknOzVPoIwZy68YFOCOSvGVmj6-0w
2019/05/14 02:49:23 [INFO] Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz/qKxSIoINRvL1JvlnYNPqC8xdyhnDt-GM8K4Wfmsw-9s
2019/05/14 02:49:23 Could not obtain certificates:acme: Error -> One or more domains had a problem:
[civilminingsafety.com.au] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url: 
[www.civilminingsafety.com.au] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALP
N protocol "acme-tls/1" for tls-alpn-01 challenge, url: 


My web server is (include version):
Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1075-aws x86_64)

The operating system my web server runs on is (include version):
Ubuntu, 

My hosting provider, if applicable, is:
AWS LightSail

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):  Online SSH provided by LightSail

The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot):
Latest One downloaded using ```
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -

I’m following https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#step-5-renew-the-let-s-encrypt-certificate - documentation for installing and setup SSL.

Kindly help me to fix this issue as the website is down since 3-4 days.
Thank you,
Kiran

Hi @Kirandas

I'm not so firm with lego and tls-alpn-01.

Isn't it possible to switch to http-01 validation?

Your configuration has one problem ( https://check-your-website.server-daten.de/?q=civilminingsafety.com.au ):

You have ipv4- and ipv6 - addresses:

But http + ipv6 is blocked:

If you fix your ipv6, you can use http-01 validation.

You should fix your ipv6, because users with ipv6 may have problems to connect your site.

Hi JuergenAuer,

Thank you for your reply. Could you please suggest the options to fix ipv6 ?
Thanks

Letsencrypt prefers ipv6, so this is critical.

Is there a firewall? Are there listen directives?

Listen [::]:80
Listen [::]:443

I've copied only the first 4 rows. The next row:

 https://civilminingsafety.com.au/
2404:8280:a222:bbbb:bba1:97:ffff:ffff
	301
	https://www.pipertalent.com.au/
	4.580
	N

So ipv6 + https works -> the address is correct, there is no firewall, there is a listen [::]:443.

If that doesn't work, remove the ipv6 dns AAAA entry, then create a certificate (your http configuration looks ok), then - without a new AAAA entry - try to fix your ipv6. Use the online tool, that supports ipv6 addresses and additional host names - https://check-your-website.server-daten.de/?q=[2404%3A8280%3Aa222%3Abbbb%3Abba1%3A97%3Affff%3Affff]&h=civilminingsafety.com.au

The last row is critical to create a certificate via http-01 validation.

Hi, sorry, I not able to follow above steps as I’m not expert in networking.
Actually, I was able to easily create certificates before for the same domain and server by following the bitnami documentation, but this time showing the errors.

Should I try in new server or contact the domain provider ( crazydomains) to fix this issues?
I see they made the DNS records complicated and have many AAAA records. I removed one AAAA pointing to www.civilmining.com.au, but still not working.
Thanks

Rechecked your domain there is the same picture ( https://check-your-website.server-daten.de/?q=civilminingsafety.com.au ):

There is only one AAAA record per domain.

Change your DNS settings, ns1.syrahost.com is one of your nameservers.

Then recheck the domain to see if the AAAA record is gone.

It's a normal own dns management, not a problem of your domain provider.

There is only one AAAA record per hostname, not many. Looks like you use the wrong place.

After removing the AAAA record from DNS, It works now !

Thank you verymuch for your help and happy to see someone like you there in every corner of this world to help others in need.

Happy to read that.

Now you have a new certificate

CN=civilminingsafety.com.au
	14.05.2019
	12.08.2019
expires in 90 days	
civilminingsafety.com.au, www.civilminingsafety.com.au - 2 entries

both connections are secure. And a very good Grade C.

Later, you can fix your ipv6 using the ipv6 directly (without a DNS-entry).

If ipv6 works, add the AAAA entry again. Native ipv6 support is good.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.