Package: certbot
Version: 0.10.2-1
Severity: important
Dear Maintainer,
On a stretch server, with no change of configuration, the certbot
service failed repeatedly since it entered the renew process on
2018-06-05, 30 days before the certificates expires.
The cause may be that the version certbot is too old, as in bug 888703,
but in my case the error messages are different and sometimes they don't
make any sense to me.
From 2018-06-05 to 2018-06-08 (boundaries included), the log was like:
certbot[31803]: Attempting to renew cert from
/etc/letsencrypt/renewal/littre.org.conf produced an unexpected error: ("bad
handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal
error')],)",). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/littre.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
From 2018-06-09 to 2018-06-12 the error log changed:
Certificate did not match expected hostname: acme-v01.api.letsencrypt.org.
Certificate: {'subjectAltName': [('DNS', '*.rodanandfields.com'), ('DNS',
'rodanandfields.com')], 'subject': ((('commonName',
u'*.rodanandfields.com'),),)}
Attempting to renew cert from /etc/letsencrypt/renewal/littre.org.conf produced
an unexpected error: hostname 'acme-v01.api.letsencrypt.org' doesn't match
either of '*.rodanandfields.com', 'rodanandfields.com'. Skipping.
From 2018-06-12 to 2018-06-15, back to the SSL error.
From 2018-06-16 to now, a new DNS error appeared:
Certificate did not match expected hostname: acme-v01.api.letsencrypt.org.
Certificate: {'subjectAltName': [('DNS', '*.cinemaspathegaumont.com'), ('DNS',
'cinemaspathegaumont.com')], 'subject': ((('commonName',
u'*.cinemaspathegaumont.com'),),)}
Attempting to renew cert from /etc/letsencrypt/renewal/littre.org.conf produced
an unexpected error: hostname 'acme-v01.api.letsencrypt.org' doesn't match
either of '*.cinemaspathegaumont.com', 'cinemaspathegaumont.com'. Skipping.
This server has no relation to the two domains that were referred in
the logs. These domains do not appear anywhere under /etc/.
Sincerly,
François Gannaz
-- System Information:
Debian Release: 9.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8),
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages certbot depends on:
ii init-system-helpers 1.48
ii python 2.7.13-2
ii python-certbot 0.10.2-1
certbot recommends no packages.
Versions of packages certbot suggests:
pn python-certbot-apache <none>
pn python-certbot-doc <none>
-- no debconf information
