Your message dated Sun, 24 Jun 2018 09:45:01 -0400 with message-id <CAEri_iE-Ndvrs=wGKT_dKMG9UX5_zQcJc0cumwzhjSW5fR=a...@mail.gmail.com> and subject line Re: Bug#901793: Info received (Bug#901793: certbot: Fails to renew because of a SSL/TLSv1 error and more) has caused the Debian Bug report #901793, regarding certbot: Fails to renew because of a SSL/TLSv1 error and more to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 901793: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901793 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: certbot Version: 0.10.2-1 Severity: important Dear Maintainer, On a stretch server, with no change of configuration, the certbot service failed repeatedly since it entered the renew process on 2018-06-05, 30 days before the certificates expires. The cause may be that the version certbot is too old, as in bug 888703, but in my case the error messages are different and sometimes they don't make any sense to me. From 2018-06-05 to 2018-06-08 (boundaries included), the log was like: certbot[31803]: Attempting to renew cert from /etc/letsencrypt/renewal/littre.org.conf produced an unexpected error: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/littre.org/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) From 2018-06-09 to 2018-06-12 the error log changed: Certificate did not match expected hostname: acme-v01.api.letsencrypt.org. Certificate: {'subjectAltName': [('DNS', '*.rodanandfields.com'), ('DNS', 'rodanandfields.com')], 'subject': ((('commonName', u'*.rodanandfields.com'),),)} Attempting to renew cert from /etc/letsencrypt/renewal/littre.org.conf produced an unexpected error: hostname 'acme-v01.api.letsencrypt.org' doesn't match either of '*.rodanandfields.com', 'rodanandfields.com'. Skipping. From 2018-06-12 to 2018-06-15, back to the SSL error. From 2018-06-16 to now, a new DNS error appeared: Certificate did not match expected hostname: acme-v01.api.letsencrypt.org. Certificate: {'subjectAltName': [('DNS', '*.cinemaspathegaumont.com'), ('DNS', 'cinemaspathegaumont.com')], 'subject': ((('commonName', u'*.cinemaspathegaumont.com'),),)} Attempting to renew cert from /etc/letsencrypt/renewal/littre.org.conf produced an unexpected error: hostname 'acme-v01.api.letsencrypt.org' doesn't match either of '*.cinemaspathegaumont.com', 'cinemaspathegaumont.com'. Skipping. This server has no relation to the two domains that were referred in the logs. These domains do not appear anywhere under /etc/. Sincerly, François Gannaz -- System Information: Debian Release: 9.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages certbot depends on: ii init-system-helpers 1.48 ii python 2.7.13-2 ii python-certbot 0.10.2-1 certbot recommends no packages. Versions of packages certbot suggests: pn python-certbot-apache <none> pn python-certbot-doc <none> -- no debconf information
--- End Message ---
--- Begin Message ---tag 901793 +unreproducible notfound 901793 0.10.2-1 thanks Aha -- yes, that would certainly explain it. I will say that the certbot package never changed anything in /etc/hosts -- but the certbot-auto package might have at one time. Either way, glad it's fixed! Sincerely, On Sun, Jun 24, 2018 at 1:32 AM, François Gannaz <[email protected]> wrote: > Here is the explanation: the /etc/hosts files had lines that gave static > IPs to the servers that renew certificates: > > # /etc/hosts > 104.85.23.247 acme-v01.api.letsencrypt.org > 104.85.23.247 acme-staging.api.letsencrypt.org > > These point to Akamai server. They were probably proxing letsencrypt > servers until last month, since renewing certificates worked for the last > 10 months with this config. > > I can't trace precisely the origin of those 2 lines, but etckeeper shows > they were introduced at the same time certbot was installed (2017-08). And > I certainly did not write them myself. I suppose certbot's install was a > bit flawed at that time. > > You may close the ticket. Thank you for you help. > -- Harlan Lieberman-Berg ~hlieberman
--- End Message ---
