Wrong domain when renewing

Hello
I wanted to renew my certificate as every 3 months with the order:

sudo ./certbot-auto --apache --agree-tos --rsa-key-size 4096 --email wxxx.xxxx@xxxx.fr --redirect -d nextcloud.rivard-international.com
and I have this error:

Certificate did not match expected hostname: acme-v02.api.letsencrypt.org. Certi ficate: {‘subjectAltName’: [(‘DNS’, ‘* .yieldmo.com’), (‘DNS’, ‘yieldmo.com’)], ‘subject’: (((‘commonName’, u '* .yieldmo.com '),),)}
An unexpected error occurred:

except that this domain does not belong to me.
how to solve this problem
thank you

Doubleve

It looks like your client is getting the yieldmo.com certificate when trying to access https://acme-v02.api.letsencrypt.org/. It’s not about your website itself.

What happens if you run “curl -v https://acme-v02.api.letsencrypt.org/directory”?

Does the system’s /etc/hosts file have an entry for acme-v02.api.letsencrypt.org or something?

Can you fill out the rest of the questionnaire below?


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi @doubleve

your command looks ok. The older certificates have only one domain name.

But your certificate is new - https://check-your-website.server-daten.de/?q=nextcloud.rivard-international.com

CN=nextcloud.rivard-international.com
	21.10.2019
	19.01.2020
expires in 74 days	nextcloud.rivard-international.com - 1 entry

so you don’t need a new. And the site shows only the standard Apache configuration page.

So I don’t understand your error message.

What says

sudo ./certbot-auto certificates

Is there a wrong config file?

good evening
I was wrong because I have 2 nextcloud the one who poses problem is cloud.rivard-international.com

Same problem, only timeouts.

[Edit]: No, not timeouts, blocking answers - ConnectFailure - Unable to connect to the remote server - looks like a firewall.

What says

traceroute acme-v02.api.letsencrypt.org

to check, if your server uses the correct ip.

Can you log into the system that’s experiencing the problem and answer the questions in my first post?

root@SRV-NEXTCLOUD:~# curl -v https://acme-v02.api.letsencrypt.org/directory

  • Trying 23.63.149.194…
  • TCP_NODELAY set
  • Connected to acme-v02.api.letsencrypt.org (23.63.149.194) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server accepted to use http/1.1
  • Server certificate:
  • subject: C=US; ST=New York; L=New York; O=YieldMo, Inc.; OU=IT; CN=*.yieldmo.com
  • start date: Mar 9 00:00:00 2019 GMT
  • expire date: Jun 7 12:00:00 2020 GMT
  • subjectAltName does not match acme-v02.api.letsencrypt.org
  • SSL: no alternative certificate subject name matches target host name ‘acme-v02.api.letsencrypt.org
  • Curl_http_done: called premature == 1
  • stopped the pause stream!
  • Closing connection 0
  • TLSv1.2 (OUT), TLS alert, Client hello (1):
    curl: (51) SSL: no alternative certificate subject name matches target host name ‘acme-v02.api.letsencrypt.org

root@SRV-NEXTCLOUD:~# traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (23.63.149.194), 30 hops max, 60 byte packets
1 10.32.15.254 (10.32.15.254) 0.676 ms 1.021 ms 1.326 ms
2 134.90.143.181 (134.90.143.181) 22.061 ms 22.485 ms 22.323 ms
3 10.100.2.136 (10.100.2.136) 14.293 ms 14.102 ms 14.784 ms
4 10.100.2.140 (10.100.2.140) 15.736 ms 15.681 ms 16.663 ms
5 195.190.87.5 (195.190.87.5) 23.270 ms 23.521 ms 23.701 ms
6 89.149.183.174 (89.149.183.174) 32.244 ms 31.392 ms 31.914 ms
7 ip4.gtt.net (87.119.97.190) 32.140 ms 29.257 ms 29.778 ms
8 ae1-2080.ber10.core-backbone.com (80.255.14.198) 40.318 ms 40.628 ms 40.498 ms
9 core-backbone.akamai.com (5.56.17.230) 49.455 ms 43.027 ms 42.707 ms
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

That’s

the wrong ip. Must be 172.65.32.248.

Looks, like you have an expired static entry in your /etc/hosts - file. Remove that entry.

Yep, checking that ip that’s from Akami - https://check-your-website.server-daten.de/?q=23.63.149.194

Host T IP-Address is auth. ∑ Queries ∑ Timeout
23.63.149.194 A 23.63.149.194 Barranca de Upia/Departamento del Meta/Colombia (CO) - Akamai Technologies Hostname: a23-63-149-194.deploy.static.akamaitechnologies.com yes

Letsencrypt has changed the own connection, so Akami isn’t longer used.

1 Like

my host

127.0.0.1 localhost
127.0.1.1 SRV-NEXTCLOUD
23.63.149.194 acme-v02.api.letsencrypt.org
2a02:26f0:fc:290::3a8e: acme-v02.api.letsencrypt.org

The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

It’s the hosts config file in /etc.

Yes, and as Jürgen says, you should remove the lines that refer to the acme-v02.api.letsencrypt.org service from this file. The IP address hard-coded there is an old one that’s no longer correct.

I restarted the command and I no longer have the error
thank you !!!
on the other hand my virtual host is in 8080

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Apache Authenticator, Install Apache
Cert is due for renewal, self-renewing …
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.rivard-international.com
Cleaning up challenges
Unable to find a virtual host that is currently in need of certbot to prove that you control your domain. Please add a virtual host for port 80.

Does anything else on this machine use port 80? If not, consider using --standalone in Certbot.

yes I have another server that uses port 80_and 443.
for the addition of --standalone must we put it at what level in the order?

It’s difficult for Certbot to work when port 80 is used by other software on the machine (that is, other than the web server for which you want to obtain your certificate).

You could try something like

sudo ./certbot-auto -a standalone -i apache --agree-tos --rsa-key-size 4096 --email wxxx.xxxx@xxxx.fr --redirect -d nextcloud.rivard-international.com

In this case, you would need to stop the other program that uses port 80 temporarily before requesting the certificate (and also when renewing the certificate).

Alternatively, you could use the other web server to obtain your certificate and/or to proxy for your port 8080 service.

I just tested
sudo ./certbot-auto -a standalone -i apache --agree-tos --rsa-key-size 4096 --email wxxx.xxxx@xxxx.fr --redirect -d nextcloud.rivard-international.com

“The requested autonome plugin does not appear to be installed”

Where is the word autonome coming from here? Are you using machine translation for either the command or its output?

yes I use a translator

“The requested stand-alone plugin does not appear to be installed”