Wildcard renewal: "Certificate did not match expected hostname"?

BrettD · August 24, 2018, 7:21am

When renewing a wildcard cert with this command
./certbot-auto certonly --manual --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns-01 -d .ottawajazzscene.ca -d ottawajazzscene.ca
I get this mysterious error:
Certificate did not match expected hostname: acme-v02.api.letsencrypt.org. Certificate: {‘subjectAltName’: [(‘DNS’, '.ottawajazzscene.ca’), (‘DNS’, ‘ottawajazzscene.ca’)], ‘subject’: (((‘commonName’, u’ottawajazzscene.ca’),),)}
An unexpected error occurred:
SSLError: hostname ‘acme-v02.api.letsencrypt.org’ doesn’t match either of ‘*.ottawajazzscene.ca’, ‘ottawajazzscene.ca’
Please see the logfiles in /var/log/letsencrypt for more details.
(Python stacktrace available if needed)

./certbot-auto --version
certbot 0.26.1

I believe I have renewed the cert once in June, after getting the initial cert in March.
The certbot-auto command is in a shell script file, leading me to think I used it before as-is and it worked.

Any ideas, please?

Also, does anyone know of a script to automate the txt record placement to insert into a bind zone?

Thanks for any tips.

rg305 · August 24, 2018, 7:37am

There should be a wildcard before the domain? - I don’t see one in your post:
Try copy-paste the following:
./certbot-auto certonly --manual --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns-01 -d *.ottawajazzscene.ca -d ottawajazzscene.ca

schoen · August 24, 2018, 3:59pm

The wildcard was interpreted as formatting by the forum software, causing the text to appear in italics (like this).

I would suggest using quotes because the * also has a special meaning to the Unix shell (as a shell wildcard).

BrettD · August 24, 2018, 6:27pm

Generally agreed. But if you read the error message I included with my question you can see that certbot-auto correctly parsed the command line and -d args; it put them in quotes. anyway, I added quotes and that didn't change anything.

Does anyone have any other ideas?

cpu · August 24, 2018, 7:10pm

Hi @BrettD,

It looks to me based on this error message that your machine resolved the acme-v02.api.letsencrypt.org domain to the wrong IP and when Certbot connected to port 443 it ended up getting back a certificate for your own domain name.

Can you verify that the recursive DNS resolver settings on your server are correct? Can you share the output of running:
openssl s_client -connect acme-v02.api.letsencrypt.org:443 -servername acme-v02.api.letsencrypt.org </dev/null
and
dig acme-v02.api.letsencrypt.org

Thanks!

BrettD · August 24, 2018, 7:51pm

Thank YOU! Brilliant reading. The message was so odd, I failed to understand it literally.

The dig showed the mistake right away: I had a bad blackhole local DNS entry that was returning 127.0.0.1 for the le (akamaiedge) server.

My certs are now renewed with almost two weeks to spare

Thanks so much, cpu. This would have been a difficult one to figure out by myself.

cpu · August 24, 2018, 7:54pm

Excellent! I'm glad to hear you were able to find a solution.

Happy to help! As it happens I lived in Ottawa myself for a few years (Go Ravens!)

BrettD · August 25, 2018, 8:00pm

(Small world! Ex-Carleton? I studied engineering there.) Thanks for all your help on this community forum, cpu. LE wouldn't be as valuable and adopted as it is without the excellent help you and others have provided here. Bravo.

system · September 24, 2018, 8:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.