LAMP Cannot install Lets Encrypt Certificates with script or Alternative approach

[tooliedotter]

Platform

AWS

bndiagnostic ID know more about bndiagnostic ID

e543192e-548c-d355-adf2-45c6bc91a096

bndiagnostic output

===== Begin of bndiagnostic tool output =====

? Processes: Found possible issues
✓ Mariadb: No issues found
? Connectivity: Found possible issues
✓ Php: No issues found
? Apache: Found possible issues
? Resources: Found possible issues

[Processes]

[Connectivity]

Server ports 22, 80 and/or 443 are not publicly accessible. Please check the
following guide to open server ports for remote access:

https://docs.bitnami.com/general/faq/administration/use-firewall/

[Apache]

Found recent error or warning messages in the Apache error log.

[Sun Jan 19 07:48:27.269952 2025] [core:error] [pid 2034:tid 2222] [client
**ip_address**:48708] AH10244: invalid URI path
(/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh)

[Sun Jan 19 07:48:28.552886 2025] [core:error] [pid 1379:tid 1632] [client
**ip_address**:48724] AH10244: invalid URI path
(/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32
%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh)

Please check the following guide to troubleshoot server issues:

Press [Enter] to continue:
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-erro
rs-apache/

[Resources]

Your instance has little available RAM memory.

               total        used        free      shared  buff/cache   available
Mem:            3879         990         207           0        2963        2888
Swap:              0           0           0

You could try to increase your instance's memory. Please check your cloud
provider's documentation for more information.

===== End of bndiagnostic tool output =====

bndiagnostic was not useful. Could you please tell us why?

Issues there have nothing to do with my problem

Describe your issue as much as you can

I am unable to run the BN-Cert tool at all; I have tried on two different servers, one with old PHP, and one from the very latest Bitnami release.

Last summer I opened this issue: #1605
You suggested the Alternative Approach, which worked at the time. https://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/#alternative-approach

When the bncert-tool failed this time on my old server, I tried the Alternative Approach and that failed too. In desperation I set up a whole new LAMP stack (https://bitnami.com/redirect/to/2505088/lampstack-8.4.3-0-amidebian-x64-hvm-ebs-nami?region=us-west-2), and copied over all 29 websites. I duplicated manually the configuration of virtual hosts, and the websites themselves now come up on this fresh server, but of course with no SSL Certificates.

I ran the sudo /opt/bitnami/bncert-tool command, and it failed with these errors:

Error: Error running curl -L
'https://tooliedotterinc.com/.well-known/e378495e9d' -o '/tmp/e378495e9d':   %
Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

So I revoked the attempted certificate and tried the Alternative Approach.

• I tried putting all the domain names behind a single --domains= parameter and it fails.
• I tried putting the www. domain names in a separate --domains= parameter and it fails.
• I tried dividing the list into 4 --domains= parameters in case there were too many characters (1658) in the string, and it still fails.
  Here are the errors I get from the last attempt:

bitnami|/opt/bitnami/apache/conf/bitnami $ sudo /opt/bitnami/ctlscript.sh stop
Stopping services..
bitnami|/opt/bitnami/apache/conf/bitnami $ sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL@YOUR_DOMAIN.com" --domains="_DOMAIN_LIST_1_" --domains="_DOMAIN_LIST_2_" --domains="_WWW_DOMAIN_LIST_1_" --domains="_WWW_DOMAIN_LIST_2_" --path="/opt/bitnami/letsencrypt" run
2025/01/19 20:35:40 [DEBUG] GET https://acme-v02.api.letsencrypt.org/directory
2025/01/19 20:35:41 [INFO] [_DOMAIN_LIST_] acme: Obtaining bundled SAN certificate
2025/01/19 20:35:41 [DEBUG] HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce
2025/01/19 20:35:41 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/new-order
2025/01/19 20:35:41 Could not obtain certificates:
        acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Invalid identifiers requested :: Cannot issue for "_DOMAIN_LIST_": Domain name contains an invalid character (and 3 more problems. Refer to sub-problems for more information.), problem: "urn:ietf:params:acme:error:malformed" :: Invalid identifiers requested :: Domain name contains an invalid character, problem: "urn:ietf:params:acme:error:malformed" :: Invalid identifiers requested :: Domain name contains an invalid character, problem: "urn:ietf:params:acme:error:malformed" :: Invalid identifiers requested :: Domain name contains an invalid character, problem: "urn:ietf:params:acme:error:malformed" :: Invalid identifiers requested :: Domain name contains an invalid character

I have copied and pasted the list of domains into 3 different plain text editors AND into MS Word to see what invalid character there might be and I cannot find it. I have NO idea what the problem is, and meanwhile 29 websites don't have their SSL Certificate. This is bad, and I'm at my wits' end. This is work stoppage for my company.

I'm attaching the last diagnostic log from the Alternative Approach. Someone, please tell me what's wrong!

bncert-202501191947.log

EDIT: @gongomgra removed sensitive information

[wctdotcom]

gn

[gongomgra]

@tooliedotter you should provide one --domains parameter per domain and www domain:

sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL@YOUR_DOMAIN.com" --domains="my-domain-1.com" --domains="www.my-domain-1.com" --domains="my-domain-2.com" --domains="www.my-domain-2.com" --domains="my-domain-3.com" --domains="www.my-domain-3.com" (...)

Hope it helps!

[tooliedotter]

What a pain in the butt: --domains=" " 58 times: I seriously do not remember having to do that the last time this alternative method worked. (https://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/#alternative-approach)

It did work and thank you @gongomgra! Now if I could just get back that lost day on a long holiday weekend!!

Can someone tell me based on the log, etc. why the usual BNCERT-TOOL did not work?

[gongomgra]

Hi @tooliedotter,

I'm glad it worked for you. I think I have found the issue that you faced in bncert and I have created a new PR to fix it at bitnami/bncert#33

[tooliedotter]

Hi @gongomgra, thanks for making that fix. I literally wasted a full day trying to overcome the issue, and I appreciate your kind attention to it.

[gongomgra]

Hi @tooliedotter,

Thanks for your kind words! We are closing this ticket as solved.