Cert is not being created - when using certbot-auto certonly ... the process stops at yum is /usr/bin/yum

encryptuser · June 16, 2018, 10:17pm

Hi,

My domain is: KnitCrochetYarn.com
I have 2 more domains but I’m trying to make one of them https at the moment.

I ran this command:

[root@vassar 01KnitCrochetYarn]#
sudo /opt/certbot/certbot-auto certonly --webroot -w /opt/projects/01KnitCrochetYarn -d knitcrochetyarn.com -d www.knitcrochetyarn.com

It produced this output:

Bootstrapping dependencies for RedHat-based OSes that will use Python3… (you can skip this with --no-bootstrap)
yum is /usr/bin/yum

My web server is (include version):

Apache Tomcat 9.0.6

The operating system my web server runs on is (include version):

CentOS release 6.9

My hosting provider, if applicable, is:

A standalone machine that I have access to.

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

I followed the instructions give here

The output stops at this line
yum is /usr/bin/yum …

I press Ctrl Z to stop the process

I don’t know why the cert is not being created

I appreciate any help.

Thanks

_az · June 16, 2018, 10:49pm

Are you sure you didn't accidentally suspend a process that might be holding onto a yum lock:

jobs

Check that you don't have any hung yum processes as well:

pgrep yum

and that it's functioning correctly:

yum check-update

encryptuser · June 17, 2018, 2:50pm

Hi,

Thanks for your response…

I was getting this error with yum check-update.

“Failed to connect to …: Network is unreachable” Trying other mirror.

We fixed the networking and the cert generation process moved forward but, produced an error
as in the output :

[root@vassar projects]# sudo /opt/certbot/certbot-auto certonly --webroot -w /opt/apache-tomcat-9.0.6/conf/Catalina/domain.com/ROOT/ -d domain.com -d www.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for www.domain.com
Using the webroot path /opt/apache-tomcat-9.0.6/conf/Catalina/domain.com/ROOT for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com/.well-known/acme-challenge/qPnOqPQ-uFjM-08pCMPfRcr8FDchVYsWnwax9buFCoo: "

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.domain.com
Type: unauthorized
Detail: Invalid response from
http://www.domain.com/.well-known/acme-challenge/qPnOqPQ-uFjM-08pCMPfRcr8FDchVYsWnwax9buFCoo:
"
<meta
name=“viewport” content=“width=device-width, initial-scale=1, user”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

I manually created this directory .well-known/acme-challenge/ under the website’s folder: /opt/apache-tomcat-9.0.6/conf/Catalina/domain.com/ROOT/

but when I run the above
sudo /opt/certbot/certbot-auto certonly --webroot -w /opt/apache-tomcat-9.0.6/conf/Catalina/domain.com/ROOT/ -d domain.com -d www.domain.com

a similar output is produced but with a different file name under
.well-known/acme-challenge/

Please help.

Patches · June 17, 2018, 3:16pm

Your webroot is probably supposed to be

/opt/apache-tomcat-9.0.6/webapps/ROOT

The conf directory usually contains configuration files and is not publicly shared on the Internet.

encryptuser · June 17, 2018, 6:00pm

Thanks for your reply.

This webroot /opt/apache-tomcat-9.0.6/webapps/ROOT works for only one web application

I’m hosting 3 web applications and each web application has its own ROOT.war file

The respective ROOT.war files are placed in their directories

/opt/projects/01WebProject/

/opt/project/02WebProject/

/opt/project/03WebProject/

The server.xml file (located in /opt/apache-tomcat-9.0.6/conf ) has the location for each host’s ROOT.xml configuration file

<Host name="www.domain.com" appBase="conf/Catalina/www.domain.com" autoDeploy="false"></Host>
<Host name="domain.com" appBase="conf/Catalina/domain.com" autoDeploy="false"></Host>

…

The ROOT.xml file has

<Context docBase="/opt/projects/01WebProject/ROOT.war" reloadable="true">
</Context>

/etc/hosts file has
ip_address domain.com www.domain.com example1.com www.example1.com example2.com www.example2.com

I tried to package this directory structure and file .well-known/acme-challenge/xZ-1Cm90GjC5AWkSs4pT913xgaDK_MXTLDsnvn_U65Y: into the ROOT.war

but sudo /opt/certbot/certbot-auto certonly --webroot -w /opt/projects/01WebProject -d domain.com -d www.domain.com will create a new file

JuergenAuer · June 17, 2018, 6:33pm

Put a file sample.txt under /.well-known/acme-challenge/

So you can check it:

http://www.knitcrochetyarn.com/.well-known/acme-challenge/sample.txt

Patches · June 17, 2018, 7:41pm

The authorization token changes on each issuance and renewal. If you want to manually add it to your WAR files, you will need to use certbot’s manual mode instead:

certbot certonly --manual --preferred-challenges http -d knitcrochetyarn.com -d www.knitcrochetyarn.com

But you will be unable to achieve automatic renewal this way. To be able to do that, you need to configure Tomcat to unpack your WAR files so there’s a directory for certbot to use as a webroot.

To help you achieve this, I need to know whether you have just configured a new appBase for your virtual hosts or if the war file is referenced explicitly in context.xml. If you’re not sure please share your server.xml and all your context.xml files.

EDIT: I noticed your post was missing stuff because the forum software interpreted the XML as being HTML. I fixed the formatting now and I see it answers this question. I’ll fill in the rest in another reply shortly.

Patches · June 17, 2018, 7:58pm

To configure Tomcat to unpack your WAR files so there’s a directory for certbot to use as a webroot, you need to add unpackWARs="true" to each <Host> entry in your server.xml file, e.g.:

<Host name="knitcrochetyarn.com" appBase="conf/Catalina/knitcrochetyarn.com" autoDeploy="false" unpackWARs="true"></Host>

Then the next time you restart tomcat, it will automatically unzip the WAR file into a ROOT directory for you, and you will be able to use these ROOT directories as webroots with certbot.

encryptuser · June 18, 2018, 6:12pm

Thanks a lot for your replies.

The files were generated when I tried

sudo /opt/certbot/certbot-auto certonly --webroot -w /opt/projects/01WebProject/ROOT/ -d domain.com -d www.domain.com

…
Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
…

I’m trying to configure Tomcat 9.0.6’s server.xml as per the instructions here
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

Please let me know if the following is correct:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate certificateKeyFile="/etc/letsencrypt/live/domain.com/privkey.pem"
                     certificateFile="/etc/letsencrypt/live/domain.com/fullchain.pem"
                     certificateChainFile="/etc/letsencrypt/live/domain.com/fullchain.pem"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

I’m getting an error in the catalina.2018-06-18.log file

18-Jun-2018 04:31:59.005 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11AprProtocol-8443]]
org.apache.catalina.LifecycleException: The configured protocol [org.apache.coyote.http11.Http11AprProtocol] requires the APR/native library which is not available
at org.apache.catalina.connector.Connector.initInternal(Connector.java:917)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)

Please excuse me if this question is meant for the Tomcat forum.

Patches · June 18, 2018, 6:52pm

Tomcat can use either the built-in Java SSL/TLS capability (JSSE), or use OpenSSL via their tomcat-native adapter (APR) for enhanced performance.

You followed the instructions for the tomcat-native/APR implementation, but don't actually have it installed. Install tomcat-native from your distribution's package manager or from source and you should be able to use it.

If you'd like to use the built-in JSSE implementation instead, I provided a configuration sample and instructions in an earlier thread:

encryptuser · June 19, 2018, 12:24am

Thanks for your help. I generated the PFX file using the above method and implemented the configuration sample in server.xml , now I’m not getting any error messages in catalina.out log file but, my domain is not encrypted ( i.e. not showing https in the browser address bar) when I try http://yourdomain.com in the address bar ,

Accessing this https://yourdomain.com gives this message in the browser ERR_CONNECTION_REFUSED

Am I missing any other configuration in server.xml or elsewhere? Please help.

_az · June 19, 2018, 12:29am

Two things to look at.

Check what ports are permitted on the server's firewall
Check that you're actually listening on port 443 for its HTTPS connector. If your config file still looks like this, Tomcat would be listening on port 8443 for HTTPS:

You may also run into problems binding to port 443 as a non-privileged user, but you can Google for solutions to that.

encryptuser · June 19, 2018, 1:49am

Thanks. The Connector is configured to use port=“443” in server.xml but, I checked my ISP’s interface for enabling ports. They don’t allow port 443, they only allow port 80 and 25

_az · June 19, 2018, 1:53am

I think you might have misinterpreted things. Optimum Online block 25 and 80 by default, which is why the interface is required to unblock them.

Port 443 should not be blocked at all - it is more likely your server is dropping the traffic or you have not forwarded port 443 on your router.

ss -tlnp
firewall-cmd --list-all
iptables -L -n

encryptuser · June 19, 2018, 5:05am

Sorry, my n/w admin opened the firewall for port 443. Now https works. A huge thanks for the help.

system · July 19, 2018, 5:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.