Sudo certbot worked three months ago, now yields Disney references, what is going on?

I successfully updated my certificates three months ago by using sudo certbot for all my domains. Now, 3+ months later, it’s time to renew. When running sudo certbot I get references to Disney, as per below. Why?

I ran this command:
sudo certbot

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Certificate did not match expected hostname: acme-v02.api.letsencrypt.org. Certificate: {‘subject’: (((‘commonName’, ‘disneycruise.disney.go.com’),),), ‘subjectAltName’: [(‘DNS’, ‘disneycruise.disney.go.com’), (‘DNS’, ‘www.disneycruiselinetravel.com’), (‘DNS’, ‘www.disneycruiselatino.com’), (‘DNS’, ‘www.disneycruisebrasil.com’)]}
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 594, in urlopen
chunked=chunked)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 350, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 837, in _validate_conn
conn.connect()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 339, in connect
_match_hostname(cert, self.assert_hostname or hostname)
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 349, in _match_hostname
match_hostname(cert, asserted_hostname)
File “/usr/lib/python3.5/ssl.py”, line 305, in match_hostname
% (hostname, ', '.join(map(repr, dnsnames))))
ssl.CertificateError: hostname ‘acme-v02.api.letsencrypt.org’ doesn’t match either of ‘disneycruise.disney.go.com’, ‘www.disneycruiselinetravel.com’, ‘www.disneycruiselatino.com’, ‘www.disneycruisebrasil.com’

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 423, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 624, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: hostname ‘acme-v02.api.letsencrypt.org’ doesn’t match either of ‘disneycruise.disney.go.com’, ‘www.disneycruiselinetravel.com’, ‘www.disneycruiselatino.com’, ‘www.disneycruisebrasil.com’

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: hostname ‘acme-v02.api.letsencrypt.org’ doesn’t match either of ‘disneycruise.disney.go.com’, ‘www.disneycruiselinetravel.com’, ‘www.disneycruiselatino.com’,

My web server is (include version):
Server version: Apache/2.4.25 (Debian)
Server built: 2019-10-13T15:43:54

The operating system my web server runs on is (include version):
Debian GNU/Linux 9 (stretch)

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.28.0

Hi @k9us

check your hosts file.

Looks like you have a hard coded combination

ip address -->> hostname

in your hosts file ( /etc/hosts ). Now the ip address is wrong.

Or your DNS is having trouble resolving: acme-v02.api.letsencrypt.org
Try (and compare IP addresses returned):
ping acme-v02.api.letsencrypt.org
nslookup acme-v02.api.letsencrypt.org
nslookup acme-v02.api.letsencrypt.org 1.1.1.1

hosts file empty except for two loopback (127.0.0.1) entries and three ipv6 entries (::1, ff02::1 and ff02::2).

I think you're probably right. Thanks

ping acme-v02.api.letsencrypt.org
PING e14990.dscx.akamaiedge.net (92.122.67.184) 56(84) bytes of data.

nslookup acme-v02.api.letsencrypt.org
Server: 10.10.10.1
Address: 10.10.10.1#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org canonical name = api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net canonical name = e14990.dscx.akamaiedge.net.
Name: e14990.dscx.akamaiedge.net
Address: 92.122.67.184

nslookup acme-v02.api.letsencrypt.org 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org canonical name = ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 172.65.32.248

So there is an intermediate DNS problem.
[out of your control]

Can you just switch your DNS to 1.1.1.1 or 8.8.8.8 or any other (that works)?

There

you see the problem. That's the wrong ip address. But where is that combination defined, if your hosts file is empty?

Letsencrypt has switched: Akami -> other system. So Akami uses that ip address with other domains -> that's the error message "no certificate with that domain name".

Let's Encrypt changed that months ago. It's very odd that any DNS resolver could still think it's true. It seems like something is very wrong with 10.10.10.1.

Luckily I can, now it works as expected!

Seems to be an ISP issue in this case.

10.10.10.1 is one of many local gateways that in turn uses the ISP DNS servers. Multiple gateways report the same faulty address. I was able to redirect DNS requests to 1.1.1.1 and now it works fine. A bit worrying though that the ISP still has an old DNS record now even months later.

Thank you all for the help! Truly appreciate it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.