Error: 403 while renew cert (AWS EC2 NGINX Bitnami server)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://brazilianflame.com.au/

I ran this command:

sudo lego --tls --email="info@eleven-two.com" --domains="brazilianflame.com.au" --path="/etc/lego" renew

It produced this output:
2020/10/19 01:12:31 No key found for account info@eleven-two.com. Generating a P384 key.
2020/10/19 01:12:31 Saved key to /etc/lego/accounts/acme-v02.api.letsencrypt.org/info@eleven-two.com/keys/info@eleven-two.com.key
2020/10/19 01:12:32 Account info@eleven-two.com is not registered. Use 'run' to register a new account.

I run this command:
sudo /opt/bitnami/letsencrypt/lego --tls --email="info@eleven-two.com" --domains="brazilianflame.com.au" --path="/opt/bitnami/letsencrypt/" run

It produced this output:
2020/10/20 03:59:26 [INFO] [brazilianflame.com.au] acme: Obtaining bundled SAN certificate
2020/10/20 03:59:27 [INFO] [brazilianflame.com.au] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8014454166
2020/10/20 03:59:27 [INFO] [brazilianflame.com.au] acme: use tls-alpn-01 solver
2020/10/20 03:59:27 [INFO] [brazilianflame.com.au] acme: Trying to solve TLS-ALPN-01
2020/10/20 03:59:33 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8014454166
2020/10/20 03:59:34 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8014454166
2020/10/20 03:59:34 Could not obtain certificates:
error: one or more domains had a problem:
[brazilianflame.com.au] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:

My web server is (include version): NGINX Self-contained Bitnami (bitnami-wordpresspro-5.2.2-4-linux-ubuntu-16.04-x86_64) on AWS EC2 with Load Balancer.

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

So... I'm trying to identify what's causing the cert to not be renewed. I tried to renew the cert but lego says I don't have a cert for this account even though the site has a valid Let's Encrypt cert installed right now. When I try to run for a new cert, I get the error above.

I've checked the DNS entries and all seems fine. I'm not using CloudFlare, but AWS Load Balancer is on (and listening on ports 80 and 443). I've already searched everywhere for a solution for this error: 403, but I got no success so far. I really appreciate if anybody can help here. Thanks!

Welcome to the Let's Encrypt Community

Sorry you're facing these troubles. Let's see what we can do...

! Warning for helpers: Bitnami WordPress stack present !

It looks like you're using lego, but reported a certbot version...

TLS-ALPN-01 challenges must be performed over port 443...

Try replacing:
--tls
with
--http

Bitnami offers a support tool to help debug this:

That would completely change the challenge type. Could work, but since this is being run on a LB, it might be easier just to use AWS DNS instead.

@viniciusedson

I would highly recommend reading here first then getting back to us:

sudo /opt/bitnami/letsencrypt/lego --http --email="diegobrazilianflame@gmail.com" --domains="brazilianflame.com.au" --path="/opt/bitnami/letsencrypt/" run

Return:
2020/10/20 06:42:20 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you accept the TOS? Y/n
y
2020/10/20 06:42:26 [INFO] acme: Registering account for diegobrazilianflame@gmail.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/opt/bitnami/letsencrypt/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2020/10/20 06:42:26 [INFO] [brazilianflame.com.au] acme: Obtaining bundled SAN certificate
2020/10/20 06:42:26 [INFO] [brazilianflame.com.au] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8017011488
2020/10/20 06:42:26 [INFO] [brazilianflame.com.au] acme: Could not find solver for: tls-alpn-01
2020/10/20 06:42:26 [INFO] [brazilianflame.com.au] acme: use http-01 solver
2020/10/20 06:42:26 [INFO] [brazilianflame.com.au] acme: Trying to solve HTTP-01
2020/10/20 06:42:33 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8017011488
2020/10/20 06:42:33 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8017011488
2020/10/20 06:42:33 Could not obtain certificates:
error: one or more domains had a problem:
[brazilianflame.com.au] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://www.brazilianflame.com.au/.well-known/acme-challenge/IMZBShMQ6DRCuiN-NuH9SNadJYNcMHWxWmZE8-O7FwE [2404:8280:a222:bbbb:bba1:57:ffff:ffff]: "\n<html lang="en">\n\n\n<meta name="viewport" content="width=device-width, initial-scale=", url:

I'm really confused too. I didn't set up this instance, so I'm just trying to update the cert which suppose to be simple, but the last guy probably messed up with the instance... Looks like he tried different methods to install the first cert (he requested an AWS one, but is using the Let's Encrypt one) and got it working somehow. The problem is figuring out how. I'm still trying to understand all the mess... Thanks for helping.

[quote="griffin, post:6, topic:136415"]
I would highly recommend reading here first then getting back to us:[/quote]

I'll try it tomorrow. I got enough of this headache for today. I'll let you guys know if it worked. Thank you all!

Name:    brazilianflame.com.au
Addresses:  2404:8280:a222:bbbb:bba1:57:ffff:ffff
          13.239.132.34

curl -Iki 13.239.132.34
HTTP/1.1 301 Moved Permanently
Server: nginx/1.16.1
Date: Tue, 20 Oct 2020 14:46:31 GMT
Content-Type: text/html
Connection: keep-alive
Location: https://13.239.132.34/
X-Frame-Options: SAMEORIGIN

curl -Iki [2404:8280:a222:bbbb:bba1:57:ffff:ffff]
curl: (7) Failed to connect to 2404:8280:a222:bbbb:bba1:57:ffff:ffff port 80: No route to host

You have an IPv6 problem.

Is that it suppose to generate?

1afc71d7-1f67-b8d1-13c2-7ffe17736f79

Why is it trying to connect through IPv6 if all config on this tutorial only uses is IPv4?

And I found a TXT key on the domain nameservers that is related to the _acme-challenge. So I'm guessing the last guy used the --dns to perform the challenge. Anyway I'm going to have a look on this IPv6 problem before checking anything else. Thanks.

IPv6 is often preferred over IPv4 when it's available, which is why having a misconfigured IPv6 can wreak havoc.

Because your FQDN is defined with both IPv4 and IPv6 addresses:
[this is something you control]

Name:    brazilianflame.com.au
Addresses:  2404:8280:a222:bbbb:bba1:57:ffff:ffff
          13.239.132.34

And as @griffin mentioned, IPv6 will be preferred over IPv4 when present.
So, I repeat myself:

If you don't need IPv6, then remove the AAAA record from your DNS zone.
If you do need it, then you need to make sure it works before trying to get, or renew, a cert from LE.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

I don't understand that question...
Is what supposed to generate that?
[which doesn't look like anything related to LetsEncrypt]

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Where did this string come from?

Ignore my last question. It's a reference code from the Bitnami support tool so their customer service reps can access your test results.

I don't understand that question...
Is what supposed to generate that?
[which doesn't look like anything related to LetsEncrypt]

Sorry. The quote didn't work. This is the hash generated by the Bitnami Support Tool you mentioned before.

Yeah. I just checked and the instance doesn't have IPv6 enabled. I'm going to check this issue before removing the AAAA entry as you and @griffin has pointed. Thanks.

Removing the AAAA usually works magic.

Do you suggest removing it before trying to enable the IPv6?

Removing the AAAA would require disabling the IPv6. The AAAA is your IPv6 address.

Does your system have that IP on it?
I mean, once you enable IPv6, if your IPv6 address doesn't match that one, you will at least have to change it to the one you do have.
So there is a very low probability that the IPv6 address you will get will match the one already in DNS.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Not exactly.
He can still have IPv6 enabled and just not advertise it.
But once advertised, it better work.
[which is where we are now]

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]