Cannot renew certificate

Harm-Jan · May 14, 2020, 8:40pm

I have been trying to renew my Let’s Encrypt certificate.

All my attempts are rejected.

Below the technical details.

I am using Tomcat as webserver.

I think Let’s Encrypt wants to try to verify my site by accessing the url
http://cebuned.vdhdn.nl/.well-known/acme-challenge/…

Tomcat logs access to my site but the logs do not show attempts from Let’s Encrypt to access my web site.

I changed my internet provider a month ago and therefore my ipv4 adress changed.
Could it be that Let’s Encrypt uses my old ipv4 adress.

Any suggestions ?

My domain is: Cebuned.vdhdn.nl

I ran this command:
certbot certonly --standalone -d cebuned.vdhdn.nl
certbot certonly -d cebuned.vdhdn.nl
certbot --standalone renew
certbot certonly --manual

It produced this output:
Timeout during connect (likely firewall problem)

My web server is (include version):
Tomcat version 8.5.43

The operating system my web server runs on is (include version):
Linux 5.6.11-arch1-1

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot version 1.4.0

rg305 · May 14, 2020, 9:26pm

I have a “potential” workaround
[if we can call it that]
But it has some “challenges”…
Hurdle number one:
Figure out where the document root is for your Tomcat installation, then you could use it this way:
certbot certonly --webroot -w /that/tomcat/root/path
to get a cert.
Hurdle number two:
Figure out where to use the cert in your Tomcat installation.

I have never had much luck with Tomcat.
I would sooner throw an NGINX proxy in front of it and call it a day than try to beat it into submission.
But who knows… you might be smarter/luckier/younger/taller/richer/leaner/better looking than me OR just happen to know someone who is just enough of whatever it takes to make this all work in Tomcat.
If you do happen to get it to work in Tomcat, please share your pixie dust findings so that others may benefit from it.

I probably emphasized too much there and may have inadvertently made those hurdles seem insurmountable - they are not. Whatever my history with Tomcat should not cause you to stray from your intended path. Do stick with it; I’m sure it can be done.

Cheers from Miami

Harm-Jan · May 15, 2020, 7:56pm

Hi rg,

Thank you for your suggestions.

Of course I know the document root.
/home/tomcat/webapps/ROOT

‘certbot certonly’ asks at startup if you want to use ‘standalone’ or ‘webroot’ unfortunately both fail.

In Tomcat you need to set (temporarily) listings to true and allow directory listing access to directory
(/home/tomcat/webapps/ROOT)/.well-known

The Let’s Encrypt certificate needs to be converted to p12 and set in a tls connector in the Tomcat server.xml.

That is in short how you can do it within Tomcat.

In the renewal process certbot places a file in directory '/home/tomcat/webapps/ROOT/.well-known/acme-challenge/file-name
That file is to be read by letsencrypt to validate the certificate renewal request as
http://cebuned.vdhdn.nl/.well-known/acme-challenge/file-name

But judging the Tomcat access logs Let’s Encrypt does not try to read that file or any other url on my web site.

Hope you or anyone else has a suggestion.

Cheers from the Netherlands

rg305 · May 15, 2020, 8:58pm

I don’t understand.
If you place a file in the challenge folder, is it accessible from the Internet?

Harm-Jan · May 16, 2020, 6:16pm

Yes it is accessible from the internet.

rg305 · May 17, 2020, 3:03am

OK then can you show a --verbose detail log of a failed attempt?

Harm-Jan · May 17, 2020, 5:42am

Command executed 17 may 7.30 am:

(Attachment letsencrypt.log is missing)

localhost_access_log.2020-05-17.txt (960 Bytes)

Harm-Jan · May 17, 2020, 5:44am

Command executed 17 may 7.30 am:

localhost_access_log.2020-05-17.txt (960 Bytes)

letsencrypt.log.txt (25.1 KB)

rg305 · May 17, 2020, 10:37am

From the LE log file:

Domain: cebuned.vdhdn.nl
Type:   connection
Detail: Fetching http://cebuned.vdhdn.nl/.well-known/acme-challenge/WKyZj79xh0wTqA8NfrJzrpaYjiQnETLjL1ffaRxQfdk: Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

rg305 · May 17, 2020, 10:40am

Port 80 (HTTP) needs to reach your system.
Make sure there are no firewalls blocking this access.

Harm-Jan · May 17, 2020, 6:12pm

Port 80 is accessible and if I monitor the challenge folder from a browser I see the file appear and a little later disappear again.

Also the Tomcat access log does not show any access attempts.

Help !

rg305 · May 17, 2020, 6:18pm

Not from where I’m sitting:

curl http://cebuned.vdhdn.nl/
curl: (7) Failed to connect to cebuned.vdhdn.nl port 80: Connection timed out

What is the URL you used to see that?

Maybe it is also running another web server.

Harm-Jan · May 17, 2020, 6:40pm

You’re right port 80 is not accessible.

That explains a lot !

I am going to check the router and let you know.

Cheers !

Harm-Jan · May 18, 2020, 1:58pm

Hi RG,

I managed to renew my certificate.

Turned out that the router blocked port 80.

Thank you for your help !

system · June 17, 2020, 1:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.