Cannot Renew certificate and showing error while trying to re-install

My domain is: https://civilminingsafety.com.au/

I ran this command: ```
sudo lego --tls --email="kiran@briksinfotech.com" --domains=“civilminingsafety.com.au” --domains=“www.civilminingsafety.com.au” --path="/etc/lego" run


It produced this output:
[INFO] [civilminingsafety.com.au, www.civilminingsafety.com.au] acme: Obtaining bundled SAN certificate
2019/05/14 02:49:08 [INFO] [civilminingsafety.com.au] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/EJB
Ckx7Qf71XELeknOzVPoIwZy68YFOCOSvGVmj6-0w
2019/05/14 02:49:08 [INFO] [www.civilminingsafety.com.au] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/qKxSIoINRvL1JvlnYNPqC8xdyhnDt-GM8K4Wfmsw-9s
2019/05/14 02:49:08 [INFO] [civilminingsafety.com.au] acme: use tls-alpn-01 solver
2019/05/14 02:49:08 [INFO] [www.civilminingsafety.com.au] acme: use tls-alpn-01 solver
2019/05/14 02:49:08 [INFO] [civilminingsafety.com.au] acme: Trying to solve TLS-ALPN-01
2019/05/14 02:49:14 [INFO] [www.civilminingsafety.com.au] acme: Trying to solve TLS-ALPN-01
2019/05/14 02:49:22 [INFO] Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz/EJBCkx7Qf71XELeknOzVPoIwZy68YFOCOSvGVmj6-0w
2019/05/14 02:49:23 [INFO] Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz/qKxSIoINRvL1JvlnYNPqC8xdyhnDt-GM8K4Wfmsw-9s
2019/05/14 02:49:23 Could not obtain certificates:acme: Error -> One or more domains had a problem:
[civilminingsafety.com.au] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url: 
[www.civilminingsafety.com.au] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALP
N protocol "acme-tls/1" for tls-alpn-01 challenge, url: 


My web server is (include version):
Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1075-aws x86_64)

The operating system my web server runs on is (include version):
Ubuntu, 

My hosting provider, if applicable, is:
AWS LightSail

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):  Online SSH provided by LightSail

The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot):
Latest One downloaded using ```
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -

I’m following https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#step-5-renew-the-let-s-encrypt-certificate - documentation for installing and setup SSL.

Kindly help me to fix this issue as the website is down since 3-4 days.
Thank you,
Kiran

Hi @Kirandas

I'm not so firm with lego and tls-alpn-01.

Isn't it possible to switch to http-01 validation?

Your configuration has one problem ( https://check-your-website.server-daten.de/?q=civilminingsafety.com.au ):

You have ipv4- and ipv6 - addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
civilminingsafety.com.au A 3.104.151.226 yes 2 0
AAAA 2404:8280:a222:bbbb:bba1:97:ffff:ffff yes
www.civilminingsafety.com.au C civilminingsafety.com.au yes 1 0
A 3.104.151.226 yes
AAAA 2404:8280:a222:bbbb:bba1:97:ffff:ffff ye

But http + ipv6 is blocked:

Domainname Http-Status redirect Sec. G
http://civilminingsafety.com.au/
3.104.151.226 301 https://civilminingsafety.com.au/ 0.906 A
http://www.civilminingsafety.com.au/
3.104.151.226 301 https://www.civilminingsafety.com.au/ 0.760 A
http://civilminingsafety.com.au/
2404:8280:a222:bbbb:bba1:97:ffff:ffff -2 7.086 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2404:8280:a222:bbbb:bba1:97:ffff:ffff]:80
http://www.civilminingsafety.com.au/
2404:8280:a222:bbbb:bba1:97:ffff:ffff -2 7.086 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2404:8280:a222:bbbb:bba1:97:ffff:ffff]:80

If you fix your ipv6, you can use http-01 validation.

You should fix your ipv6, because users with ipv6 may have problems to connect your site.

2 Likes

Hi JuergenAuer,

Thank you for your reply. Could you please suggest the options to fix ipv6 ?
Thanks

Letsencrypt prefers ipv6, so this is critical.

Is there a firewall? Are there listen directives?

Listen [::]:80
Listen [::]:443

I've copied only the first 4 rows. The next row:

 https://civilminingsafety.com.au/
2404:8280:a222:bbbb:bba1:97:ffff:ffff
	301
	https://www.pipertalent.com.au/
	4.580
	N

So ipv6 + https works -> the address is correct, there is no firewall, there is a listen [::]:443.

If that doesn't work, remove the ipv6 dns AAAA entry, then create a certificate (your http configuration looks ok), then - without a new AAAA entry - try to fix your ipv6. Use the online tool, that supports ipv6 addresses and additional host names - https://check-your-website.server-daten.de/?q=[2404%3A8280%3Aa222%3Abbbb%3Abba1%3A97%3Affff%3Affff]&h=civilminingsafety.com.au

Domainname Http-Status redirect Sec. G
http://2404:8280:a222:bbbb:bba1:97:ffff:ffff/
2404:8280:a222:bbbb:bba1:97:ffff:ffff -2 7.210 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2404:8280:a222:bbbb:bba1:97:ffff:ffff]:80
https://2404:8280:a222:bbbb:bba1:97:ffff:ffff/
2404:8280:a222:bbbb:bba1:97:ffff:ffff 301 https://www.pipertalent.com.au/ 3.876 N
Certificate error: RemoteCertificateNameMismatch
https://www.pipertalent.com.au/ 200 6.310 I
http://2404:8280:a222:bbbb:bba1:97:ffff:ffff/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2404:8280:a222:bbbb:bba1:97:ffff:ffff -2 7.207 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2404:8280:a222:bbbb:bba1:97:ffff:ffff]:80
Visible Content:

The last row is critical to create a certificate via http-01 validation.

2 Likes

Hi, sorry, I not able to follow above steps as I’m not expert in networking.
Actually, I was able to easily create certificates before for the same domain and server by following the bitnami documentation, but this time showing the errors.

Should I try in new server or contact the domain provider ( crazydomains) to fix this issues?
I see they made the DNS records complicated and have many AAAA records. I removed one AAAA pointing to www.civilmining.com.au, but still not working.
Thanks

Rechecked your domain there is the same picture ( https://check-your-website.server-daten.de/?q=civilminingsafety.com.au ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
civilminingsafety.com.au A 3.104.151.226 yes 2 0
AAAA 2404:8280:a222:bbbb:bba1:97:ffff:ffff yes
www.civilminingsafety.com.au C civilminingsafety.com.au yes 1 0
A 3.104.151.226 yes
AAAA 2404:8280:a222:bbbb:bba1:97:ffff:ffff yes

There is only one AAAA record per domain.

Change your DNS settings, ns1.syrahost.com is one of your nameservers.

Then recheck the domain to see if the AAAA record is gone.

It's a normal own dns management, not a problem of your domain provider.

There is only one AAAA record per hostname, not many. Looks like you use the wrong place.

1 Like

After removing the AAAA record from DNS, It works now !

Thank you verymuch for your help and happy to see someone like you there in every corner of this world to help others in need.

2 Likes

Happy to read that.

Now you have a new certificate

CN=civilminingsafety.com.au
	14.05.2019
	12.08.2019
expires in 90 days	
civilminingsafety.com.au, www.civilminingsafety.com.au - 2 entries

both connections are secure. And a very good Grade C.

Later, you can fix your ipv6 using the ipv6 directly (without a DNS-entry).

If ipv6 works, add the AAAA entry again. Native ipv6 support is good.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.