Can't get certificate tomcat 9

Hello guys,

I'm stuck since 2 days to get my certificate on my tomcat9 / debian 11. I tried the test and it's ok on : Let's Debug

My server.xml connector && host :

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <!--<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
    </Connector>-->
<Host name="solutionazotee.fr"  appBase="webapps/solutionazotee"
            unpackWARs="true" autoDeploy="true" deployOnStartup="true">
        <Alias>engraisfrance.fr</Alias>
        <Alias>www.solutionazotee.fr</Alias>
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="solutionazotee_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
      </Host>

run with java 17, group & user tomcat:tomcat in /etc/systemd/system/tomcat.service, group & user tomcat:tomcat on /opt/tomcat/

Port 80/443 open with ufw

rules added to port forwarding 80 to 8080 & 443 to 8443 as follow :

Generated by iptables-save v1.8.7 on Mon Jan 3 13:12:08 2022

*nat
:PREROUTING ACCEPT [4005:155789]
:INPUT ACCEPT [2398:84444]
:OUTPUT ACCEPT [131:9671]
:POSTROUTING ACCEPT [135:9911]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i lo -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -o lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080
-A OUTPUT -o lo -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -o lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

I am using a VPS without firewall

Thanks for your help

My domain is: solutionazotee.fr

I ran this command: certbot certonly --standalone -d solutionazotee.fr

It produced this output:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: solutionazotee.fr
Type: connection
Detail: Fetching http://solutionazotee.fr/.well-known/acme-challenge/rWRawisDYPrR_EQKwJK6t0aPKO9W8otI0QvGZuK0TQo: Connection refused

My web server is (include version): tomcat 9

The operating system my web server runs on is (include version): debian 11

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.22.0

I have NO idea exactly what you're doing, but I can see multiple (2) iptable rules mentioning port 443 and port 8080 instead of 8443.

Also, the standalone plugin by default listens on port 80. So maybe that's incompatible with your iptable rules.

2 Likes

It's because port 0-1024 or something like that are reserved for root, I can't just use port 80, that's why I redirect port 80 to 8080

You're redirecting to port 8080 and certbots standalone plugin listens on port 80. You need to configure certbot that it listens on port 8080 too. Or temporarily don't redirect from 80 to 8080. Choices choices.

2 Likes

How could I configure certbot to listen on port 8080 too? I maybe should do that for auto renewal.
Or configure tomcat to be executed by root instead of user tomcat:tomcat ? Isn't it a security issue?

Forget about change listen port on certbot, I just want a certificate, reseting all iptables rules, changing user/group to root, changing listen port 80 into virtualhost. I can curl my website in localhost but I have always this error

You can find the Certbot documentation here: User Guide — Certbot 1.22.0 documentation

I'm not familiair with Tomcat, but if it's good practice to NOT run Tomcat as root, I would just keep it running as a regular user and not as root.

2 Likes

I see some conflicting and repetetive entries:

1 Like

Hi, installed ubuntu server 20, always same problem.

I can't use 0-1024 ports, redirect 80 to 8080 has no effect to get the certificate. Just add 80 to 8080 PREROUTING & OUTPUT rules (to get http://solutionazotee.fr instead of http://solutionazotee.fr:8080).

Any ideas?

Guys, I got my certificate though DNS option, but now my website is inaccessible whith https, my connector :

 <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate
                certificateFile="conf/cert.pem"
                certificateKeyFile="conf/privkey.pem"
                certificateChainFile="conf/chain.pem"
            />
        </SSLHostConfig>
    </Connector>

Ok, now everything's ok. Good rules & good firewall & good server.xml and it makes the tricks

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.