“Failed to connect to …: Network is unreachable” Trying other mirror.
We fixed the networking and the cert generation process moved forward but, produced an error
as in the output :
[root@vassar projects]# sudo /opt/certbot/certbot-auto certonly --webroot -w /opt/apache-tomcat-9.0.6/conf/Catalina/domain.com/ROOT/ -d domain.com -d www.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for www.domain.com
Using the webroot path /opt/apache-tomcat-9.0.6/conf/Catalina/domain.com/ROOT for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com/.well-known/acme-challenge/qPnOqPQ-uFjM-08pCMPfRcr8FDchVYsWnwax9buFCoo: "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I manually created this directory .well-known/acme-challenge/ under the website’s folder: /opt/apache-tomcat-9.0.6/conf/Catalina/domain.com/ROOT/
but when I run the above
sudo /opt/certbot/certbot-auto certonly --webroot -w /opt/apache-tomcat-9.0.6/conf/Catalina/domain.com/ROOT/ -d domain.com -d www.domain.com
a similar output is produced but with a different file name under
.well-known/acme-challenge/
The authorization token changes on each issuance and renewal. If you want to manually add it to your WAR files, you will need to use certbot’s manual mode instead:
But you will be unable to achieve automatic renewal this way. To be able to do that, you need to configure Tomcat to unpack your WAR files so there’s a directory for certbot to use as a webroot.
To help you achieve this, I need to know whether you have just configured a new appBase for your virtual hosts or if the war file is referenced explicitly in context.xml. If you’re not sure please share your server.xml and all your context.xml files.
EDIT: I noticed your post was missing stuff because the forum software interpreted the XML as being HTML. I fixed the formatting now and I see it answers this question. I’ll fill in the rest in another reply shortly.
To configure Tomcat to unpack your WAR files so there’s a directory for certbot to use as a webroot, you need to add unpackWARs="true" to each <Host> entry in your server.xml file, e.g.:
Then the next time you restart tomcat, it will automatically unzip the WAR file into a ROOT directory for you, and you will be able to use these ROOT directories as webroots with certbot.
…
Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
…
I’m getting an error in the catalina.2018-06-18.log file
18-Jun-2018 04:31:59.005 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11AprProtocol-8443]]
org.apache.catalina.LifecycleException: The configured protocol [org.apache.coyote.http11.Http11AprProtocol] requires the APR/native library which is not available
at org.apache.catalina.connector.Connector.initInternal(Connector.java:917)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Please excuse me if this question is meant for the Tomcat forum.
Tomcat can use either the built-in Java SSL/TLS capability (JSSE), or use OpenSSL via their tomcat-native adapter (APR) for enhanced performance.
You followed the instructions for the tomcat-native/APR implementation, but don't actually have it installed. Install tomcat-native from your distribution's package manager or from source and you should be able to use it.
If you'd like to use the built-in JSSE implementation instead, I provided a configuration sample and instructions in an earlier thread:
Thanks for your help. I generated the PFX file using the above method and implemented the configuration sample in server.xml , now I’m not getting any error messages in catalina.out log file but, my domain is not encrypted ( i.e. not showing https in the browser address bar) when I try http://yourdomain.com in the address bar ,
Accessing this https://yourdomain.com gives this message in the browser ERR_CONNECTION_REFUSED
Am I missing any other configuration in server.xml or elsewhere? Please help.
Check what ports are permitted on the server's firewall
Check that you're actually listening on port 443 for its HTTPS connector. If your config file still looks like this, Tomcat would be listening on port 8443 for HTTPS:
You may also run into problems binding to port 443 as a non-privileged user, but you can Google for solutions to that.
Thanks. The Connector is configured to use port=“443” in server.xml but, I checked my ISP’s interface for enabling ports. They don’t allow port 443, they only allow port 80 and 25