Why are you using this option? It says lego to renew even if there are 90 days left until expiry. Please don't do that.
We don't have much to work with, as you've removed the questionnaire which was shown to you when you opened this thread in the Help section.. But from the limited info I see, it looks like Let's Encrypt validation server didn't actually connect to lego, but to something else. Some other webserver answering on port 443, even though you say you stopped something using bitnami..
Is there a specific reason why you're using lego instead of the built-in bncert-tool?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
2025/01/19 10:38:53 error: one or more domains had a problem:
[www.plumbingandelectrical.net.au] acme: error: 403 :: urn:ietf:params:acme:error:unauthor
ized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge
My web server is (include version):
The operating system my web server runs on is (include version): Linux
My hosting provider, if applicable, is: AWS Lightsail
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): bncert-tool
“It is impossible to obtain a certificate using the TLS-ALPN-01 challenge with the Cloudflare CDN proxy enabled.“
I’m not really familiar with Cloudflare, but I guess I would disable the CDN proxy for at least the duration of the ACME challenge while getting the renewal certificate issued.
The www subdomain has a DNS CNAME to what looks like a WP service:
www.plumbingandelectrical.net.au 60 IN CNAME wp.wpenginepowered.com.
But, your apex domain points to a single AWS IP address (probably LightSail):
plumbingandelectrical.net.au. 0 IN A 3.24.225.144
Would you explain why you set these domain names up differently?
Further, this service at www is proxied at Cloudflare as Bruce notes. This means you are using its CDN. Yet, you say you use LightSail. That is also a CDN. It is very unusual to have two "layers" of CDN. This makes traffic flows very complicated. It is almost certainly not what you want.
And, you could not possibly have gotten a cert using lego and tls-alpn for your www subdomain with this configuration.
