Tls error renewing certs

:no_bell: lease fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: beachhouseimports.com

I ran this command: other domains are renewing just not beachhouseimports.com
sudo /opt/bitnami/letsencrypt/lego --tls --email="jim2story@yahoo.com" --domains="newmarketing.guide" --domains="www.newmarketing.guide" --domains="beachhouseimports.com" --domains="www.beachhouseimports.com" --domains="coastmobileutilities.com" --domains="www.coastmobileutilities.com" --path="/opt/bitnami/letsencrypt" run

It produced this output:
2023/05/23 05:48:04 [INFO] [domain.com] acme: Trying to solve TLS-ALPN-01
2023/05/23 05:48:07 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/230303644157
2023/05/23 05:48:07 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/230303644167
2023/05/23 05:48:07 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/230303644177
2023/05/23 05:48:08 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/230303644187
2023/05/23 05:48:08 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/230303644197
2023/05/23 05:48:08 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/230307868427
2023/05/23 05:48:08 Could not obtain certificates:error: one or more domains had a problem:[domain.com] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 35.168.67.138: remote error: tls: no application protocol****

My web server is (include version): lightsail bitnami

The operating system my web server runs on is (include version): lightsail bitnami

My hosting provider, if applicable, is: aws lightsail

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): sorry not sure I think its lego

Following instructions here Generate and Install a Let's Encrypt SSL Certificate for a Bitnami Application
used to work fine until latest renew this week.
Checked tis here TLS Checker | Site24x7 Tools
Working domains say this
tls 1.3 disabled
tls 1.2 enabled
tls 1.1 enabled
tls 1.0 enabled
The one that doesn't says this
tls 1.3 enabled
tls 1.2 enabled
tls 1.1 disabled
tls 1.0 disabled

not sure why it would be different they were setup the same way (i thought)
thanks

The DNS IP addresses seem wrong. If these are correct can you explain more about your configuration

dig +noall +answer beachhouseimports.com
beachhouseimports.com.  111     IN      A       35.168.67.138
beachhouseimports.com.  111     IN      A       3.230.199.117

dig +noall +answer www.beachhouseimports.com
www.beachhouseimports.com. 174  IN      A       3.221.66.194

dig +noall +answer coastmobileutilities.com
coastmobileutilities.com. 176   IN      A       3.221.66.194
3 Likes

Thanks for your help, Sorry noob here don't know where these 2 came from. How do I change these/get rid of them? In route 53 I have 2 A (1 www 1 non www) records pointing to 3.221.66.194 (my static ip). Don't see anything about the other IPs.
Record name beachhouseimports.com
Record type A Value 3.221.66.194 Alias No TTL (seconds) 300 Routing policy Simple

1 Like

Did you change your Name Servers for that domain recently?

Because yns1.yahoo.com is used for your beachhouse domain rather than Route53 like for coastmobile (for example)

https://dnsviz.net/d/beachhouseimports.com/dnssec/

5 Likes

oooh ok I didn't, looks like someone/thing might have changed it in godaddy to point to yahoo instead of route53. Not sure who/why, I'll check when they get in this morning. Strange that www.beachhouseimports.com is getting the correct ip from route53 but the non-www version is not and going to yahoo. thanks for your help.

1 Like

You can confirm your DNS changes with the website tool below. It looks up IP addresses very similarly to how Let's Encrypt does. As for the www domain, it isn't using Route53 either so maybe you just have the right value in its name server.

https://unboundtest.com/

4 Likes

thanks that was it, godaddy randomly changes nameservers for some reason when they upgraded their dns system. thanks again

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.