Cannot renew certificate

I have been trying to renew my Let’s Encrypt certificate.

All my attempts are rejected.

Below the technical details.

I am using Tomcat as webserver.

I think Let’s Encrypt wants to try to verify my site by accessing the url
http://cebuned.vdhdn.nl/.well-known/acme-challenge/

Tomcat logs access to my site but the logs do not show attempts from Let’s Encrypt to access my web site.

I changed my internet provider a month ago and therefore my ipv4 adress changed.
Could it be that Let’s Encrypt uses my old ipv4 adress.

Any suggestions ?

My domain is: Cebuned.vdhdn.nl

I ran this command:
certbot certonly --standalone -d cebuned.vdhdn.nl
certbot certonly -d cebuned.vdhdn.nl
certbot --standalone renew
certbot certonly --manual

It produced this output:
Timeout during connect (likely firewall problem)

My web server is (include version):
Tomcat version 8.5.43

The operating system my web server runs on is (include version):
Linux 5.6.11-arch1-1

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot version 1.4.0

1 Like

I have a “potential” workaround
[if we can call it that]
But it has some “challenges”…
Hurdle number one:
Figure out where the document root is for your Tomcat installation, then you could use it this way:
certbot certonly --webroot -w /that/tomcat/root/path
to get a cert.
Hurdle number two:
Figure out where to use the cert in your Tomcat installation.

I have never had much luck with Tomcat.
I would sooner throw an NGINX proxy in front of it and call it a day than try to beat it into submission.
But who knows… you might be smarter/luckier/younger/taller/richer/leaner/better looking than me OR just happen to know someone who is just enough of whatever it takes to make this all work in Tomcat.
If you do happen to get it to work in Tomcat, please share your pixie dust findings so that others may benefit from it.

I probably emphasized too much there and may have inadvertently made those hurdles seem insurmountable - they are not. Whatever my history with Tomcat should not cause you to stray from your intended path. Do stick with it; I’m sure it can be done.

Cheers from Miami :beers:

1 Like

Hi rg,

Thank you for your suggestions.

Of course I know the document root.
/home/tomcat/webapps/ROOT

‘certbot certonly’ asks at startup if you want to use ‘standalone’ or ‘webroot’ unfortunately both fail.

In Tomcat you need to set (temporarily) listings to true and allow directory listing access to directory
(/home/tomcat/webapps/ROOT)/.well-known

The Let’s Encrypt certificate needs to be converted to p12 and set in a tls connector in the Tomcat server.xml.

That is in short how you can do it within Tomcat.

In the renewal process certbot places a file in directory '/home/tomcat/webapps/ROOT/.well-known/acme-challenge/file-name
That file is to be read by letsencrypt to validate the certificate renewal request as
http://cebuned.vdhdn.nl/.well-known/acme-challenge/file-name

But judging the Tomcat access logs Let’s Encrypt does not try to read that file or any other url on my web site.

Hope you or anyone else has a suggestion.

Cheers from the Netherlands

1 Like

I don't understand.
If you place a file in the challenge folder, is it accessible from the Internet?

1 Like

Yes it is accessible from the internet.

1 Like

OK then can you show a --verbose detail log of a failed attempt?

1 Like

Command executed 17 may 7.30 am:

(Attachment letsencrypt.log is missing)

localhost_access_log.2020-05-17.txt (960 Bytes)

Command executed 17 may 7.30 am:

localhost_access_log.2020-05-17.txt (960 Bytes)

letsencrypt.log.txt (25.1 KB)

From the LE log file:

Domain: cebuned.vdhdn.nl
Type:   connection
Detail: Fetching http://cebuned.vdhdn.nl/.well-known/acme-challenge/WKyZj79xh0wTqA8NfrJzrpaYjiQnETLjL1ffaRxQfdk: Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
1 Like

Port 80 (HTTP) needs to reach your system.
Make sure there are no firewalls blocking this access.

2 Likes

Port 80 is accessible and if I monitor the challenge folder from a browser I see the file appear and a little later disappear again.

Also the Tomcat access log does not show any access attempts.

Help !

Not from where I'm sitting:

curl http://cebuned.vdhdn.nl/
curl: (7) Failed to connect to cebuned.vdhdn.nl port 80: Connection timed out

What is the URL you used to see that?

Maybe it is also running another web server.

1 Like

You’re right port 80 is not accessible.

That explains a lot !

I am going to check the router and let you know.

Cheers !

3 Likes

Hi RG,

I managed to renew my certificate.

Turned out that the router blocked port 80.

Thank you for your help !

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.