Strange failure - unknown domain?

The failure message is referring the domain iam-uat.dbs.com.sg. I have no idea what this domain is and why it is being referenced.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command: sudo certbot renew

It produced this output:
accounting@dick:~$ sudo certbot renew
[sudo] password for accounting:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Certificate did not match expected hostname: acme-v02.api.letsencrypt.org. Certificate: {‘subject’: (((‘countryName’, ‘SG’),), ((‘localityName’, ‘Singapore’),), ((‘jurisdictionCountryName’, ‘SG’),), ((‘organizationName’, ‘DBS Bank Ltd’),), ((‘businessCategory’, ‘Private Organization’),), ((‘serialNumber’, ‘196800306E’),), ((‘commonName’, ‘iam-uat.dbs.com.sg’),)), ‘issuer’: (((‘countryName’, ‘US’),), ((‘organizationName’, ‘Entrust, Inc.’),), ((‘organizationalUnitName’, ‘See www.entrust.net/legal-terms’),), ((‘organizationalUnitName’, ‘© 2014 Entrust, Inc. - for authorized use only’),), ((‘commonName’, ‘Entrust Certification Authority - L1M’),)), ‘version’: 3, ‘serialNumber’: ‘6552ACC255A7599F0000000054CFB1DF’, ‘notBefore’: ‘Apr 22 06:18:38 2019 GMT’, ‘notAfter’: ‘Apr 22 06:48:36 2021 GMT’, ‘subjectAltName’: ((‘DNS’, ‘iam-uat.dbs.com.sg’),), ‘OCSP’: (‘http://ocsp.entrust.net’,), ‘caIssuers’: (‘http://aia.entrust.net/l1m-chain256.cer’,), ‘crlDistributionPoints’: (‘http://crl.entrust.net/level1m.crl’,)}
Attempting to renew cert () from /etc/letsencrypt/renewal/.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by SSLError(CertificateError(“hostname ‘acme-v02.api.letsencrypt.org’ doesn’t match ‘iam-uat.dbs.com.sg’”,),)). Skipping.


Processing /etc/letsencrypt/renewal/conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Certificate did not match expected hostname: acme-v02.api.letsencrypt.org. Certificate: {‘subject’: (((‘countryName’, ‘SG’),), ((‘localityName’, ‘Singapore’),), ((‘jurisdictionCountryName’, ‘SG’),), ((‘organizationName’, ‘DBS Bank Ltd’),), ((‘businessCategory’, ‘Private Organization’),), ((‘serialNumber’, ‘196800306E’),), ((‘commonName’, ‘iam-uat.dbs.com.sg’),)), ‘issuer’: (((‘countryName’, ‘US’),), ((‘organizationName’, ‘Entrust, Inc.’),), ((‘organizationalUnitName’, ‘See www.entrust.net/legal-terms’),), ((‘organizationalUnitName’, ‘© 2014 Entrust, Inc. - for authorized use only’),), ((‘commonName’, ‘Entrust Certification Authority - L1M’),)), ‘version’: 3, ‘serialNumber’: ‘6552ACC255A7599F0000000054CFB1DF’, ‘notBefore’: ‘Apr 22 06:18:38 2019 GMT’, ‘notAfter’: ‘Apr 22 06:48:36 2021 GMT’, ‘subjectAltName’: ((‘DNS’, ‘iam-uat.dbs.com.sg’),), ‘OCSP’: (‘http://ocsp.entrust.net’,), ‘caIssuers’: (‘http://aia.entrust.net/l1m-chain256.cer’,), ‘crlDistributionPoints’: (‘http://crl.entrust.net/level1m.crl’,)}
Attempting to renew cert () from /etc/letsencrypt/renewal/.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by SSLError(CertificateError(“hostname ‘acme-v02.api.letsencrypt.org’ doesn’t match ‘iam-uat.dbs.com.sg’”,),)). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live//fullchain.pem (failure)
/etc/letsencrypt/live//fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live//fullchain.pem (failure)
/etc/letsencrypt/live/fullchain.pem (failure)


2 renew failure(s), 0 parse failure(s)
accounting@dick:~$

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @fsco

looks like there is a man in the middle. So the original Letsencrypt certificate is changed.

Or your server is hacked and has (sample) a manipulated hosts file.

So the name acme-v02.api.letsencrypt.org goes to to a fixed ip address.

May had worked earlier, now you have to change the entry.

Yep, looks like you have a fixed hosts entry, that's now wrong:

D:\>nslookup iam-uat.dbs.com.sg.

Name:    e3822.dsca.akamaiedge.net
Addresses:  2a02:26f0:fc:287::eee
          2a02:26f0:fc:28b::eee
          104.87.225.142
Aliases:  iam-uat.dbs.com.sg
          iam-uat.dbs.com.sg.edgekey.net

Letsencrypt uses Akami, but that's the problem with a fixed ip address.

2 Likes

Yes, that was exactly the problem ... previously I could not do a nslookup for the LE server, so added the entry to /etc/hosts. I have now removed it and all worked fine.

THANK YOU for your quick help! :slight_smile:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.