Certificate renewal TLS handshake error

The cronjob renewal failed because the version of TLS required (1.3) is not supported by (some of) the letsencrypt servers perhaps. Yet when trying manually the script and lego eventually worked but was delayed trying different servers after getting the TLS handshake error. I really do not know why the crontask failed yet the same script called manually eventually worked. I think this has been working previously and do not think anything relevant changed but have no control over what Google (or possibly Bitnami) might have done (such as insist on TLS1.3)! Do I need to set up apache differently?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:jowett.net +jowettjupiter.com +jowett.org

I ran this command::lego --tls --email="clubjowett@gmail.com" --domains="jowett.net" --path="/opt/bitnami/letsencrypt" renew --daw --days 90

It produced this output:
Note I have edited this as multiple domains are renewed.

2022/10/30 10:54:35 [INFO] [jowettjupiter.com] acme: Trying renewal with -11 hours remaining
2022/10/30 10:54:35 [INFO] [ jowett.net, www.jowett.net, www.jowett.org, ] acme: Obtaining bundled SAN certificate
2022/10/30 10:54:37 [INFO] [jowett.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/170380627632
2022/10/30 10:54:37 [INFO] [jowett.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/170380627632
2022/10/30 10:54:37 [INFO] [jowett.net] acme: use tls-alpn-01 solver
2022/10/30 10:54:37 [INFO] [www.jowett.net] acme: use tls-alpn-01 solver
2022/10/30 10:54:37 [INFO] [jowett.net] acme: Trying to solve TLS-ALPN-01
2022/10/30 10:55:05 http: TLS handshake error from 157.55.39.134:32896: tls: client requested unsupported application protocols ([h2 http/1.1])
2022/10/30 10:56:26 [INFO] [jowett.net] The server validated our request
2022/10/30 10:56:26 [INFO] [www.jowett.net] acme: Trying to solve TLS-ALPN-01
2022/10/30 10:57:11 http: TLS handshake error from 66.206.18.178:21359: EOF
2022/10/30 10:57:14 http: TLS handshake error from 84.16.234.194:53737: EOF
2022/10/30 10:58:22 [INFO] [www.jowett.net] The server validated our request
022/10/30 11:08:04 [INFO] jowett.net, www.jowett.net, ] acme: Validations succeeded; requesting certificates
2022/10/30 11:08:06 [INFO] [022/10/30 11:08:04 [INFO] [jowettjupiter.com, jowett.net, jowett.org, mail.jowett.org, www.jowett.net, www.jowett.org, www.jowettjupiter.com] acme: Validations succeeded; requesting certificates
2022/10/30 11:08:06 [INFO] [jowettjupiter.com] Server responded with a certificate.] Server responded with a certificate.
My web server is (include version): GCLOUD instance

The operating system my web server runs on is (include version): SMP Debian 4.19.235-1 (2022-03-17) x86_64

My hosting provider, if applicable, is:Google

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.31.0

Welcome to the community @kcfez

The IP addresses in those warning messages are not related to Let's Encrypt. I am not expert enough about lego client to say why it would log those. But, here are the reverse lookups for those IP's

PTR     msnbot-157-55-39-134.search.msn.com.
PTR     66-206-18-178.static.hvvc.us.
PTR     fra.uptrends.net.

These may be just crawlers trying your domain name while your client is actively waiting for the cert request to complete. And, the warning looks like they did not make a valid tls-alpn request so that is the warning.

Your cert was issued successfully.

Thanks Mike,
I also did the reverse look ups and saw that. I use uptrends to check status of website which is what alerted me to the failed certificate renewal as well as some disgruntled users!
So now back to trying to figure out why the lego failed when called by cron. Should or could I use another program to do the renewal?

The system was set up using a Bitnami stack which I think is the cause of the problem.
I have commented out the crontab lego task.
Investigation shows a certbot task is in systemd but that it is not updating the desired certificate.
Mon 2022-10-31 23:16:53 UTC 5h 5min left Mon 2022-10-31 01:22:45 UTC 16h ago certbot.timer certbot.service
More investigation needed.
/lib/systemd/system/certbot.service
contains
ExecStart=/usr/bin/certbot -q renew

Just looking at certbot documentation.

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

No certs found.

What do I need to do to get the multiple domain certificates ?

certbot --apache

It looks like certbot was installed at one time but never used. The --apache plug-in will use the HTTP Challenge and make changes to your Apache config. I don't have time to walk you thru switching ACME clients but maybe someone else will. The certbot docs are here

As other options:

Is the bitnami bncert tool available? I can't vouch for it personally but I know many people on this forum had success with it

Also, does your Apache already have mod_md installed? I see you were using TLS-ALPN authentication so thought you might have that. You could use mod_md to manage your certs and that has worked well for others.

OK Thanks Mike,
bncert failed saying the DNS resolved incorrectly , so gave up with that. The website and all the rest of the domain is working perfectly so DNS must be working.
I will soon be rebuilding with Debian11 and NOT use Bitnami as it really caused issues in loads of areas. I will have a look at certbot and mod_md which looks promising. Should really do it on my Dev system and not play around with the live one!

Whilst looking to see if mod_md was installed found this.

apache2ctl -M

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppres this message

So perhaps I need to fix that which might fix the bncert issue.

Found this guide which should help me try out mod_md
https://www.cyberciti.biz/faq/how-to-secure-apache-with-mod_md-lets-encrypt-on-ubuntu-20-04-lts/

That's a common warning and easily ignored.

I don't know lego very well but a common problem when a script works from shell and not in cron is due to cron not running jobs with the same shell / path.

Also, aren't there lego logs you could check for the times it should be running in cron?

That it works well from command shell is great.

You could even ask about that on the lego github if no other volunteer here suggests anything (github here)

I dismissed the AH00558 message by changing the /etc/hosts file entry for each domain to its external IP address rather than 127.0.0.1. Seems OK but do not know what other effect this might have.

I get the bncert utility going through most of the process now but does not complete even after half hour of waiting. See final console output below ....

Do you agree to the Let's Encrypt Subscriber Agreement? [Y/n]: y

Performing changes to your installation

The Bitnami HTTPS Configuration Tool will perform any necessary actions to your
Bitnami installation. This may take some time, please be patient.

/^C
root@club-jowett-vm:/opt/bitnami/letsencrypt/certificates# /opt/bitnami/ctlscript.sh restart apache
Restarted apache

Sorry, I've lost track of what your problem is. Are you still trying to resolve the cron problem with lego? Or is it a problem with bncert or another ACME client?

I don't see any cert problem. You got 3 certs in the past week. One of them was issued just 2 hours ago (see here)

And, your Apache server is using this most recent cert

Can you explain what you want help with?

Thanks Mike,
You are correct that I am able to manually run and renew using the lego client. I have reported the technical issue with the bncert-tool and used the bndiagnostic tool to give them some info. So this thread can be closed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.