Cert renew not working


#1

Hi
I am having issues renewing my cert.
I am using a cronjob with the command, but for some reason it does not work anymore.
I like to keep the domain private if possible, since it runs a sensitive webcam,

I ran this command: ./certbot-auto certonly -d subdomain.uk.to

It produced this output:
root@abc:~# ./certbot-auto certonly -d subdomain.uk.to
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Certificate did not match expected hostname: acme-v01.api.letsencrypt.org. Certificate: {'subjectAltName': [('DNS', 'b2b.companyc.com'), ('DNS', 'ii.aveeno.com'), ('DNS', 'ii.bronners.com'), ('DNS', 'ii.cheaperthandirt.com'), ('DNS', 'ii.christmastreeshops.com'), ('DNS', 'ii.countrycurtains.com'), ('DNS', 'ii.crazyshirts.com'), ('DNS', 'ii.designtoscano.com'), ('DNS', 'ii.eastlandshoe.com'), ('DNS', 'ii.especiallyyours.com'), ('DNS', 'ii.frenchtoast.com'), ('DNS', 'ii.gianttiger.com'), ('DNS', 'ii.honeybakedonline.com'), ('DNS', 'ii.modells.com'), ('DNS', 'ii.nancysnotions.com'), ('DNS', 'ii.neostrata.com'), ('DNS', 'ii.paulayoung.com'), ('DNS', 'ii.powr-flite.com'), ('DNS', 'ii.thelook.fashion'), ('DNS', 'ii.theroomplace.com'), ('DNS', 'ii.titlenine.com'), ('DNS', 'ii.urbanbarn.com'), ('DNS', 'ii.wig.com'), ('DNS', 'ii.wilsonsleather.com'), ('DNS', 'ii.worldmarket.com'), ('DNS', 'ii.ylang23.com'), ('DNS', 'ii2.designtoscano.com'), ('DNS', 'ii2.wilsonsleather.com'), ('DNS', 'ii3.designtoscano.com'), ('DNS', 'ii3.wilsonsleather.com'), ('DNS', 'mc2-ii.aws.marketlive.com'), ('DNS', 'store.electrabike.com'), ('DNS', 'vidweb.aws.marketlive.com'), ('DNS', 'www.aveeno.com'), ('DNS', 'www.bettysattic.com'), ('DNS', 'www.brokerforms.com'), ('DNS', 'www.bronners.com'), ('DNS', 'www.cheaperthandirt.com'), ('DNS', 'www.cheaperthandirt.net'), ('DNS', 'www.christmastreeshops.com'), ('DNS', 'www.closeoutzone.com'), ('DNS', 'www.companyc.com'), ('DNS', 'www.countrycurtains.com'), ('DNS', 'www.crazyshirts.com'), ('DNS', 'www.designtoscano.com'), ('DNS', 'www.disneyfloralandgifts.com'), ('DNS', 'www.eastlandshoe.com'), ('DNS', 'www.educationalinsights.com'), ('DNS', 'www.especiallyyours.com'), ('DNS', 'www.exuviance.com'), ('DNS', 'www.frenchtoast.com'), ('DNS', 'www.fulloflife.com'), ('DNS', 'www.gianttiger.com'), ('DNS', 'www.greatland.com'), ('DNS', 'www.griotsgarage.com'), ('DNS', 'www.helzberg.com'), ('DNS', 'www.honeybakedonline.com'), ('DNS', 'www.jjmystore.com'), ('DNS', 'www.learningresources.co.uk'), ('DNS', 'www.learningresources.com'), ('DNS', 'www.lighterside.com'), ('DNS', 'www.marketlive.com'), ('DNS', 'www.nancysnotions.com'), ('DNS', 'www.nelcosolutions.com'), ('DNS', 'www.neostrata.com'), ('DNS', 'www.onekingslane.com'), ('DNS', 'www.paulayoung.com'), ('DNS', 'www.peruvianconnection.co.uk'), ('DNS', 'www.peruvianconnection.com'), ('DNS', 'www.peruvianconnection.de'), ('DNS', 'www.powr-flite.com'), ('DNS', 'www.rogaine.com'), ('DNS', 'www.thelook.fashion'), ('DNS', 'www.theroomplace.com'), ('DNS', 'www.thingsyouneverknew.com'), ('DNS', 'www.titlenine.com'), ('DNS', 'www.wig.com'), ('DNS', 'www.wilsonsleather.com'), ('DNS', 'www.worldmarket.com'), ('DNS', 'www.ylang23.com')], 'subject': ((('commonName', u'ii.worldmarket.com'),),)}
An unexpected error occurred:
SSLError: hostname 'acme-v01.api.letsencrypt.org' doesn't match either of 'b2b.companyc.com', 'ii.aveeno.com', 'ii.bronners.com', 'ii.cheaperthandirt.com', 'ii.christmastreeshops.com', 'ii.countrycurtains.com', 'ii.crazyshirts.com', 'ii.designtoscano.com', 'ii.eastlandshoe.com', 'ii.especiallyyours.com', 'ii.frenchtoast.com', 'ii.gianttiger.com', 'ii.honeybakedonline.com', 'ii.modells.com', 'ii.nancysnotions.com', 'ii.neostrata.com', 'ii.paulayoung.com', 'ii.powr-flite.com', 'ii.thelook.fashion', 'ii.theroomplace.com', 'ii.titlenine.com', 'ii.urbanbarn.com', 'ii.wig.com', 'ii.wilsonsleather.com', 'ii.worldmarket.com', 'ii.ylang23.com', 'ii2.designtoscano.com', 'ii2.wilsonsleather.com', 'ii3.designtoscano.com', 'ii3.wilsonsleather.com', 'mc2-ii.aws.marketlive.com', 'store.electrabike.com', 'vidweb.aws.marketlive.com', 'www.aveeno.com', 'www.bettysattic.com', 'www.brokerforms.com', 'www.bronners.com', 'www.cheaperthandirt.com', 'www.cheaperthandirt.net', 'www.christmastreeshops.com', 'www.closeoutzone.com', 'www.companyc.com', 'www.countrycurtains.com', 'www.crazyshirts.com', 'www.designtoscano.com', 'www.disneyfloralandgifts.com', 'www.eastlandshoe.com', 'www.educationalinsights.com', 'www.especiallyyours.com', 'www.exuviance.com', 'www.frenchtoast.com', 'www.fulloflife.com', 'www.gianttiger.com', 'www.greatland.com', 'www.griotsgarage.com', 'www.helzberg.com', 'www.honeybakedonline.com', 'www.jjmystore.com', 'www.learningresources.co.uk', 'www.learningresources.com', 'www.lighterside.com', 'www.marketlive.com', 'www.nancysnotions.com', 'www.nelcosolutions.com', 'www.neostrata.com', 'www.onekingslane.com', 'www.paulayoung.com', 'www.peruvianconnection.co.uk', 'www.peruvianconnection.com', 'www.peruvianconnection.de', 'www.powr-flite.com', 'www.rogaine.com', 'www.thelook.fashion', 'www.theroomplace.com', 'www.thingsyouneverknew.com', 'www.titlenine.com', 'www.wig.com', 'www.wilsonsleather.com', 'www.worldmarket.com', 'www.ylang23.com'
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): none

The operating system my web server runs on is (include version): Debian 8

I can login to a root shell on my machine (yes or no, or I don’t know): yes

Any help appreciated


#2

Can you run the following:

grep -i letsencrypt /etc/hosts
curl -X GET -Ik https://acme-v01.api.letsencrypt.org
openssl s_client -connect acme-v01.api.letsencrypt.org:443 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -modulus

#3

Sure thing, thank you for your response.
Here is the output:

root@abc:~# grep -i letsencrypt /etc/hosts
104.108.34.195 acme-v01.api.letsencrypt.org

root@abc:~# curl -X GET -Ik https://acme-v01.api.letsencrypt.org
HTTP/1.1 403 Forbidden
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 322
Expires: Thu, 12 Apr 2018 08:24:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 12 Apr 2018 08:24:20 GMT
Connection: close

root@abc:~# openssl s_client -connect acme-v01.api.letsencrypt.org:443 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -modulus
subject= /CN=ii.worldmarket.com
issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
Modulus=C427D9A7D6229234AAFF296507B9666C4F55B521F331026F43EACAE390BF3CEB1E642FE9ACFA748CEF9F58C8A9F93BB0016E5D8D29983367FCC8A0817AA0B66C5708E9A5A602E71E2F426BD8E7FF3D2CF1C2CB954866E2528512DDBFD7C2507F82E7E41C69D8933D41324364BB8EE7ECF8D7744B552D0636F1F93488FF9B2279EA70DDED322B426556020E9AA7044CB28D5560A5F099EB81B7F7692E695ECA8BF3D6330078BB5291CEF6EDDAE7C44B72C59C39BCC98464F184F890157F1278F7358B25740DB915331004A8C9AAF5C29FD10E452117B7D847BA4F6C7FCE08B88CCBB0D56232A448C301F6D4FD9E1FE5BA997193604B55457D8AEB6F51501500B3

I did notice this entry in /etc/hosts when I checked earlier.
I did put it there or I don’t remember.
According to the error this entry might be wrong and needs an edit or be removed?


#4

You’re gonna need to delete that line from your /etc/hosts .

Are you from Vietnam by any chance?


#5

Thank you for your reply.
In the meantime I removed the specific line and everything went smoothly afterwards.
Thank you for pointing me in the right direction!

No, sorry. I’m located in Switzerland.


#6

Do you know how that line originally got into your /etc/hosts file? As @_az has noticed, we’ve had several people who had this line there and it was causing problems for them.

This can be a result of an out-of-date workaround for network-based censorship, but I don’t know why a user in Switzerland would have attempted that since the Swiss government isn’t trying to block access to our services.


#7

Sorry, I do not know anymore and was not able to find anything in my shell history either.
Might be it was there because of some ipv4/ipv6 issue I had in the past or a network issue, but I do not remember.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.