Cert renewal for tomcat server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: my-example.com (sorry for not giving a real domain name due to policy)

I ran this command: sudo certbot certonly --standalone -d www.my-example.com

It produced this output: Two issues here,

  1. If i keep running tomcat server then obviously port 80 is occupied and it will complain about it.

  2. If i stop tomcat server and run it will complain that site is not reachable,
    Domain: www.my-example.com
    Type: connection
    Detail: Fetching
    Connection refused

Other commands like certbot certonly --force-renew -d my-example.com aren’t helping either.

Application is running on spring and thus not easy to invoke /.well-known in context root.

My web server is (include version): NA. Instead application is running on tomcat

The operating system my web server runs on is (include version): debian-9-stretch-v20200309

My hosting provider, if applicable, is: GCE
I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

I don’t recall how did i obtain the certificate but the cert was created using csr file and then imported back into JKS which is then configured into server.xml of tomcat/conf. I suspect that i might have run the apache2 standalone in past, this method might not working as even starting the apache service is not helping but causing other issues as site being redirected to example.com

This architecture might not be ideal but is there any simple process where i can get the certificate based on new csr and re-import it into keystore? This will be an overhead to do this as manual everyt ime but i don’t know any other alternative options. Thanks and appreciate help.

1 Like

In this case, it might be better to use DNS-based validation.
If your company’s policy allows you to use DNS API to update TXT records, that’s better. Or you can take a look at ACME-DNS, which will only asks for the specific TXT record being CNAMEd to the instance.

1 Like

Thanks for help. I was struggling a bit to understand the concept here but now seems with the help of another thread I am able to generate the certificate (pem files).

sudo certbot certonly --webroot --webroot-path “/opt/tomcat/webapps/my-context-root” -d www.my-exaple.com --rsa-key-size 4096

Which generated the following pem files
cert.pem chain.pem fullchain.pem privkey.pem
Do I need to regenerate the keystore and re-import which file?

I was successfully able to import certs into my keystore and restarted the server after following this post.