Can't Renew my JIRA (Tomcat) cert

Please fill out the fields below so we can help you better.

My domain is: jira.ciwise.com

I ran this command: ./certbot-auto renew

It produced this output: root@ciwise-3:~# sudo ./certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/jira.ciwise.com.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for jira.ciwise.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/jira.ciwise.com.conf produced an unexpected error: Failed authorization procedure. jira.ciwise.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested e8650064534f736fc103115f69e49c63.c5dfa3a30f5819bf111c254ace4e6a3e.acme.invalid from 107.170.14.62:443. Received 2 certificate(s), first certificate had names “jira.ciwise.com”. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jira.ciwise.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: jira.ciwise.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    e8650064534f736fc103115f69e49c63.c5dfa3a30f5819bf111c254ace4e6a3e.acme.invalid
    from 107.170.14.62:443. Received 2 certificate(s), first
    certificate had names “jira.ciwise.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    root@ciwise-3:~#

My web server is (include version): Tomcat embedded with JIRA

The operating system my web server runs on is (include version): Debian 8

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): ssh root@jira.ciwise.com

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Hi @dlwhitehurst,

Can you tell me which Certbot authenticator plugin you’re using? It will be listed in the file /etc/letsencrypt/renewal/jira.ciwise.com.conf under the authenticator field.

The reason for this error is that Certbot is trying to configure your web server with a custom certificate in order to prove to the certificate authority that you (still) control this domain name. However, Certbot failed to reconfigure your web server. This is not very surprising because we don’t have a plugin that integrates with Tomcat or that could reconfigure Tomcat in this way, but when you originally got the certificate there was something in place that we could reconfigure, which was either Apache, Nginx, or the “standalone” method.

If it was the “standalone” method, it can still work for renewals, but you’ll need to very briefly stop Tomcat and then restart it at the end of the renewal, because the standalone web server would need to take over port 443 during the renewal authentication process. (We have --pre-hook and --post-hook options which can be used to run scripts to do this kind of thing if that turns out to be what you need.)

Schoen, I have “standalone”. I haven’t had any issue with my Confluence (Tomcat too) and with that one, I run the same renew command and then I have to make a PKCS12 combination cert and then move it the directory in the server config. I tried the same here and it failed. I remember something being a little different for this but I can’t remember. I do, however use the PKCS12 that I created from the Let’sEncrypt in a server config directory just like my Confluence instance. I’ll stop JIRA and try what you said. I’ll be back with a confirmation. Thanks! David

I stopped JIRA and re-ran the process. It failed with connection refused and rightfully so. When Tomcat is down, there is no listener on 8443 or 443. I’m stumped now. Where do I go from here? What’s weird is that I have another server VM for Confluence, I renew and then I make the file type that I need. I place that newly created file in the same place every time and this renewal goes fine.

I’m adding a note here. I am going to check the port on my other Atlassian installation (Confluence). I bet the server config uses 443 instead of 8443 like JIRA. At least that’s my guess at this point.

Sure did use 443 instead of 8443 like this problem.

<Connector port="443"
maxHttpHeaderSize="8192"
maxThreads="150"
SSLEnabled="true"
scheme="https"
minSpareThreads="25"
protocol="org.apache.coyote.http11.Http11NioProtocol"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
secure="true"
clientAuth=“false"
keystoreFile=”/etc/letsencrypt/live/confluence.ciwise.com/fullchain_and_key.p12"
keystoreType=“PKCS12”

When you're using standalone, Certbot itself should create the port 443 listener (very briefly!) during the renewal process. If you don't see that happening, could you post your Certbot log from /var/log/letsencrypt corresponding to the renewal attempt?

I think you can also run ./certbot-auto renew -v to see a little more information about what it’s trying to do.

Seth, I deleted /etc/letsencrypt and created a standalone with “-d jira.ciwise.com” and it worked as it should. I then found that PREROUTING to 8443 existed in iptables on this server and not on my working one. I flushed that rule and set my connector up route to 443 just like the other server and now I can’t recognize HTTPS. Thanks for your help. I took note of the /var/log directory and will check that as I move through this. For some reason JIRA’s Tomcat integration is a little different than Confluence. I don’t know why but I’ll figure it out soon I think. Thanks again.

hi @dlwhitehurst

There have been a couple of discussions on Jira/Tomcat and Le'ts Encrypt

Both of your servers seem to be listening on 8443 and 443 so if you are going to use standalone you should us a hook to stop tomcat and restart tomcat

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.