Lets-encrypt autorenewal and email problems - linked?

I am having trouble auto-renewing my Lets Encrypt certificate and have also been having trouble with my SES email and think they may be related. I am very new to AWS and am not familiar with all this 'background' information etc but think the problem could be I have got confused following various setup write-ups and have a DNS zone in both Lightsail and Route 53 and am thinking this is not correct. But I am unsure If I can just delete one of the zones, which one I should delete and which records I should ensure are in whichever zone is chose to leave/use. I am hoping you can help me work out what I've done and how to correct matters so my email keeps working and my SSL certificate can auto-renew.

My domain is: rustyirony.com

I ran this command: sudo /opt/bitnami/bncert-tool

It produced this output: [rustyirony.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized ::
Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge

My web server is (include version): AWS LIghtsail

The operating system my web server runs on is (include version): AWS Linux

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): ??

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Sorry I can't provide all the above - I really don't understand all this and have only got where I am via tutorials.

Hi @Butchx5,

I kind of doubt that these are related.

What I think is going on is that your DNS records list your site as directly hosted in AWS for IPv4 purposes ( but proxied via the Cloudfront CDN for IPv6 purposes (2600:9000:20a6:8c00:1c:bee8:a980:93a1 and several others). The Let's Encrypt CA will always prefer IPv6 for validation when you try to get a certificate.

The ALPN method that the software is talking about normally requires that you be running the certificate tool directly on the server that the certificate authority will connect to, which is not the case when you're behind a CDN. Therefore, this method would probably not work when you have a CDN enabled. (You might not notice that you have a CDN enabled, though, since it seems like it's only set up for IPv6 and not for IPv4.)

Anyway, my suggestion would be

  • decide if you mean to be using Cloudfront to proxy your site

  • if you don't, remove the IPv6 AAAA records for Cloudfront (ideally using your AWS IPv6 address, if you have one, instead)

  • if you do, check on the Bitnami forum for how to complete this process when behind a CDN, since the tutorial steps you followed are generally appropriate, but seem not to be appropriate when a site is hosted behind a CDN—so you might need a slightly different tutorial that is correct for this setup.

(I doubt anyone on this forum knows offhand exactly how to modify the Bitnami instructions for the CDN case, although I'd be happy to be proven wrong about that!)



Thanks so much for your response - that rings some bells for me - in my ignorance setting up I went down various paths to 'improve' various aspects of my website (according to the tutorials I followed) Then halfway through the penny suddenly dropped that Lightsail comes with everything I needed for my little site. So I stopped going down that avenue.

So, I have read a little about Cloudfront and feel it is probably over the top for my little sites (I have two very similar shops selling handcrafted items). However, I would fall under the Free tier usage so I could use it for no additional cost - The big question is - would using Cloudfront for my images etc mean my site would run smoother/faster - or as the sites are so small it wont make a discernable difference? Are you able to advise on that - I can then go forward down the correct path for my set up.

I admit to not knowing what IPV4 and IPV6 are and the difference. But from what you say if I decide to go forward without Cloudfront I would delete the IPV6 DNS records.

Where would I find my AWS IPv6 address (if I have one)?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.