Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for jira.ciwise.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/jira.ciwise.com.conf produced an unexpected error: Failed authorization procedure. jira.ciwise.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested e8650064534f736fc103115f69e49c63.c5dfa3a30f5819bf111c254ace4e6a3e.acme.invalid from 107.170.14.62:443. Received 2 certificate(s), first certificate had names “jira.ciwise.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jira.ciwise.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: jira.ciwise.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
e8650064534f736fc103115f69e49c63.c5dfa3a30f5819bf111c254ace4e6a3e.acme.invalid
from 107.170.14.62:443. Received 2 certificate(s), first
certificate had names “jira.ciwise.com”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
root@ciwise-3:~#
My web server is (include version): Tomcat embedded with JIRA
The operating system my web server runs on is (include version): Debian 8
My hosting provider, if applicable, is: Digital Ocean
I can login to a root shell on my machine (yes or no, or I don’t know): ssh root@jira.ciwise.com
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
Can you tell me which Certbot authenticator plugin you’re using? It will be listed in the file /etc/letsencrypt/renewal/jira.ciwise.com.conf under the authenticator field.
The reason for this error is that Certbot is trying to configure your web server with a custom certificate in order to prove to the certificate authority that you (still) control this domain name. However, Certbot failed to reconfigure your web server. This is not very surprising because we don’t have a plugin that integrates with Tomcat or that could reconfigure Tomcat in this way, but when you originally got the certificate there was something in place that we could reconfigure, which was either Apache, Nginx, or the “standalone” method.
If it was the “standalone” method, it can still work for renewals, but you’ll need to very briefly stop Tomcat and then restart it at the end of the renewal, because the standalone web server would need to take over port 443 during the renewal authentication process. (We have --pre-hook and --post-hook options which can be used to run scripts to do this kind of thing if that turns out to be what you need.)
Schoen, I have “standalone”. I haven’t had any issue with my Confluence (Tomcat too) and with that one, I run the same renew command and then I have to make a PKCS12 combination cert and then move it the directory in the server config. I tried the same here and it failed. I remember something being a little different for this but I can’t remember. I do, however use the PKCS12 that I created from the Let’sEncrypt in a server config directory just like my Confluence instance. I’ll stop JIRA and try what you said. I’ll be back with a confirmation. Thanks! David
I stopped JIRA and re-ran the process. It failed with connection refused and rightfully so. When Tomcat is down, there is no listener on 8443 or 443. I’m stumped now. Where do I go from here? What’s weird is that I have another server VM for Confluence, I renew and then I make the file type that I need. I place that newly created file in the same place every time and this renewal goes fine.
I’m adding a note here. I am going to check the port on my other Atlassian installation (Confluence). I bet the server config uses 443 instead of 8443 like JIRA. At least that’s my guess at this point.
When you’re using standalone, Certbot itself should create the port 443 listener (very briefly!) during the renewal process. If you don’t see that happening, could you post your Certbot log from /var/log/letsencrypt corresponding to the renewal attempt?
Seth, I deleted /etc/letsencrypt and created a standalone with “-d jira.ciwise.com” and it worked as it should. I then found that PREROUTING to 8443 existed in iptables on this server and not on my working one. I flushed that rule and set my connector up route to 443 just like the other server and now I can’t recognize HTTPS. Thanks for your help. I took note of the /var/log directory and will check that as I move through this. For some reason JIRA’s Tomcat integration is a little different than Confluence. I don’t know why but I’ll figure it out soon I think. Thanks again.
