Failing acme challenge when installing certificate for Tomcat

Good evening. We are receiving an error upon installing a certificate on a Tomcat server. We are not renewing this certificate but installing it on the server for the first time. Despite the claim that it lacks sufficient authorization, I am running as root and the permissions on files and directories up to and including the web application folder are 755 with ownership belonging to tomcat:tomcat.

There is a test file placed at the .well-known/acme-challenge/ directory and it can be reached via web browser. Please let me know if I can provide any further information.

I have referenced these threads but they have not turned up any solutions to this specific problem:



I have referenced the following threads, but the problems do not seem to be the same as ours:

My domain is: fiska11oy.com

I ran this command: sudo certbot certonly --standalone -w /opt/tomcat/webapps/fiska11oy/ -d fiska11oy.com -d www.fiska11oy.com

It produced this output:
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for fiska11oy.com
http-01 challenge for www.fiska11oy.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.fiska11oy.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.fiska11oy.com/.well-known/acme-challenge/8iudu91x4bQhwDg4wD9ZNhjSgYkxOBbXz0-cdzvzx60 [IP ADDRESS]: “<!doctype html><html lang=“en”>HTTP Status 404 \u2013 Not Found<style type=“text/css”>h1 {font-family:Tahoma,A”

IMPORTANT NOTES:

My web server is (include version): Tomcat 8

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

1 Like

Those flags don’t make sense together. What you’re probably after is:

sudo certbot certonly --webroot -w /opt/tomcat/webapps/fiska11oy --dry-run

First though, you’ll want to verify that you can create a test file:

echo "Hello World" > /opt/tomcat/webapps/fiska11oy/test.txt

and confirm that you can see it in a browser at http://fiska11oy.com/test.txt . That would confirm that the Certbot command is suitable to your environment.

1 Like

Thank you, that was a huge help! I was successful in generating the cert thanks to your suggestion. I have a follow up question now that I have the cert. I have created a bundle.pfx file per the instructions laid out in this thread: Using let's encrypt with tomcat
I have set permissions appropriately of said file and directories and entered the following into my server.xml file:

<Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/etc/letsencrypt/live/fiska11oy.com/bundle.pfx" keystorePass="XXXXX"
           clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>

and I have restarted tomcat. I have yet to get the padlock on my site. It does not indicate that I even have a certificate valid certificate when I view the site in chrome or firefox. Have I missed a step or done something wrong? In the past, I have been successful with this method on a different linux server running WordPress.

Thanks again for your help.

What does your Tomcat log say?

I can’t connect to your server on port 443 to check for the certificate. You might need to open up the firewall or setup port forwarding.

Hello,

My tomcat log is not reporting any errors after restarting the tomcat service:

02-Nov-2019 13:36:47.061 INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["https-jsse-nio-8443"]
02-Nov-2019 13:36:47.063 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-8080"]
02-Nov-2019 13:36:47.063 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["https-jsse-nio-8443"]
02-Nov-2019 13:36:48.637 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version:        Apache Tomcat/8.5.20
02-Nov-2019 13:36:48.639 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Aug 2 2017 21:35:49 UTC
02-Nov-2019 13:36:48.640 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number:         8.5.20.0
02-Nov-2019 13:36:48.640 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
02-Nov-2019 13:36:48.640 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            4.15.0-66-generic
02-Nov-2019 13:36:48.640 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
02-Nov-2019 13:36:48.640 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /usr/lib/jvm/java-8-openjdk-amd64/jre
02-Nov-2019 13:36:48.640 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           1.8.0_222-8u222-b10-1ubuntu1~18.04.1-b10
02-Nov-2019 13:36:48.640 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Private Build
02-Nov-2019 13:36:48.641 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /opt/tomcat
02-Nov-2019 13:36:48.641 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /opt/tomcat
02-Nov-2019 13:36:48.641 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties
02-Nov-2019 13:36:48.641 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
02-Nov-2019 13:36:48.642 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.awt.headless=true
02-Nov-2019 13:36:48.642 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.egd=file:/dev/./urandom
02-Nov-2019 13:36:48.642 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
02-Nov-2019 13:36:48.642 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
02-Nov-2019 13:36:48.642 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms512M
02-Nov-2019 13:36:48.642 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx1024M
02-Nov-2019 13:36:48.642 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -XX:+UseParallelGC
02-Nov-2019 13:36:48.643 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/opt/tomcat
02-Nov-2019 13:36:48.643 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/opt/tomcat
02-Nov-2019 13:36:48.643 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/opt/tomcat/temp
02-Nov-2019 13:36:48.643 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib]
02-Nov-2019 13:36:48.746 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
02-Nov-2019 13:36:48.769 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
02-Nov-2019 13:36:48.774 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8443"]
02-Nov-2019 13:36:49.113 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
02-Nov-2019 13:36:49.114 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 925 ms
02-Nov-2019 13:36:49.144 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
02-Nov-2019 13:36:49.144 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.5.20
02-Nov-2019 13:36:49.156 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/fiska11oy]
02-Nov-2019 13:36:49.640 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
02-Nov-2019 13:36:49.688 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/fiska11oy] has finished in [531] ms
02-Nov-2019 13:36:49.688 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/ROOT]
02-Nov-2019 13:36:49.825 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
02-Nov-2019 13:36:49.829 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/ROOT] has finished in [140] ms
02-Nov-2019 13:36:49.829 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/ok]
02-Nov-2019 13:36:50.024 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
02-Nov-2019 13:36:50.028 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/ok] has finished in [199] ms
02-Nov-2019 13:36:50.032 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
02-Nov-2019 13:36:50.090 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-jsse-nio-8443"]
02-Nov-2019 13:36:50.097 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 983 ms

Port 443 should be open

i cant access it from any location I try. Maybe blocked port or conflict with your modem-router’s admin interface?

Log looks good. What does OpenSSL report, running from the server?

openssl s_client -connect fiska11oy.com:443 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -dates

Hello,

I am glad that you made this very helpful suggestion. 443 WAS closed on the router. However, now that it has been opened and tomcat has been restarted again, I am still not getting the padlock. It looks as though there is a self-signed cert (I personally did not issue this and do not know the story behind it) that comes up when accessing the site over 443.

I ran the command you suggested:
openssl s_client -connect fiska11oy.com:443 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -dates
and received the following output, which is consistent with the self-signed cert:

subject=CN = My Server Name

issuer=CN = My Server Name

notBefore=Mar 26 14:22:55 2018 GMT

notAfter=Mar 23 14:22:55 2028 GMT

Hi again, I also wanted to note that if I use port 8443 in my server.xml file as my connector and redirect port, I do not receive any errors in my tomcat logs (as noted above). When I use 443, I receive this in my tomcat log upon restarting the service:

SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-443"] java.net.SocketException: Permission denied

Both 8443 and 443 are now open on the server and router. Thanks again for all of your help so far!

You have a different server listening on port 443 - Apache (not Tomcat). That’s why you see the self-signed certificate.

Right. You need to tell your system that Tomcat is allowed to bind to a low port (443). You can search for how to do this, but usual approaches are using setcap or authbind.

Edit: you can also just port forward 443 externally to 8443 internally, to avoid the issue.

2 Likes

Alternatively, if this Apache server is supposed to be there and is able to proxy to Tomcat, it would be even simpler to use certbot --apache to configure the Apache server with an appropriate certificate, and then rely on it, rather than Tomcat, to handle HTTPS.

Hi again. Thank you for your suggestion. I think what we want do is port forward 443 to 8443. I found a suggestion on stack overflow that I’d like to try but want to get your thoughts on if this is what you are talking about: https://stackoverflow.com/questions/24736543/tomcat-7-automatically-redirect-https-requests-to-port-8443. Much appreciated.

Nvm got it. Thanks again!