Getting error when try to renew the cert on self hosted JIRA instance

mpopov · January 31, 2019, 1:15pm

Hi there im trying to deploy ssl on our new JIRA instance which will be public and i followed this guide

gist.github.com

https://gist.github.com/dborin/dd501b28967d3784fa646534dbea6ffa

jira_letsencrypt.md

HOWTO Configure Atlassian Jira to use Letsencrypt certificate with default Tomcat
-----------------------------

This is a primer for installing a Letsencrypt certificate on a Jira server that is running the Jira provided, default Tomcat for serving webpages.

I found lots of information about how to do it using a free-standing Tomcat or nginx, but nothing about this particular combination.  I hope it helps you!

Obviously, in all the examples, you need to replace `jira.example.com` with your own domain!  And (duh) you need to use your own password, not `1234`

You need to have installed Java (outside the scope of this document).  Then in your user's shell RC file and probably `root`'s RC file, add

This file has been truncated. show original

Everything workout fine until i tried to renew the cert with sudo certbot renew --dry-run
My domain is:
servicedesk.etiometry.com
I ran this command:
sudo certbot renew --dry-run
It produced this output:
when i try to dry run renew im getting the following error
Domain: servicedesk.etiometry.com
Type: unauthorized
Detail: Invalid response from
http://servicedesk.etiometry.com/.well-known/acme-challenge/-hK239it92z5jQAyLJlfeGJrFvfc-dFDuJwCJF-Pe9I
[38.111.227.73]: 503
My web server is (include version):
Apache Tomcat/8.5.32
The operating system my web server runs on is (include version):
ubuntu 16.04
Linux servicedesk 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
My hosting provider, if applicable, is:
selfhosting
I can login to a root shell on my machine (yes or no, or I don’t know):
root shell access
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

JuergenAuer · January 31, 2019, 2:24pm

Hi @mpopov

in this installation, do you have a webroot? So that you can create a test file (file name 1234) in

/.well-known/acme-challenge

and load this file with your browser

http://servicedesk.etiometry.com/.well-known/acme-challenge/1234

PS: But checking your https you have a certificate created yesterday. So I would recheck this in two months.

mpopov · January 31, 2019, 2:54pm

HI @JuergenAuer

Thanks, for the response.
I’m not sure where the webroot of the Tomcat is. I know the cert is good for another 89 days, but I’m trying to iron this out because we are planning to go live in a month or so. I want to have everything working so we don’t have any service interruptions.

Edit:
I poked around a little bit more and now im getting this

Attempting to renew cert (servicedesk.etiometry.com) from 
/etc/letsencrypt/renewal/servicedesk.etiometry.com.conf produced an unexpected error: Failed 
authorization procedure. servicedesk.etiometry.com (http-01): 
urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response 
from http://servicedesk.etiometry.com/.well-known/acme-challenge/6pgIAlP- 
DTgvzCzFykg86ZF6GyOHxJ4r8hz6ADTi4Wg: "<!DOCTYPE html><html lang=\"en\"><head><meta 
charset=\"utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"><title>Oops, you". 
Skipping.

JuergenAuer · January 31, 2019, 3:13pm

Other users have

/var/lib/tomcat7/webapps/ROOT/

Check, if this directory exists. If yes, add two subdirectories

/var/lib/tomcat7/webapps/ROOT/.well-known/acme-challenge

there the test file.

But I don't understand it. If you have created a new certificate yesterday, then the renew should work today.

If not, looks like you have changed a lot of things.

mpopov · January 31, 2019, 3:26pm

I guess i didnt make myself clear for which im sorry. This Tomcat comes wrapped in the JIRA install, the only changes i’ve made are creating key store and enforcing the server to use HTTPS and pointing to the created key store. Also open ports in iptables. The guide i used ->

gist.github.com

https://gist.github.com/dborin/dd501b28967d3784fa646534dbea6ffa

jira_letsencrypt.md

HOWTO Configure Atlassian Jira to use Letsencrypt certificate with default Tomcat
-----------------------------

This is a primer for installing a Letsencrypt certificate on a Jira server that is running the Jira provided, default Tomcat for serving webpages.

I found lots of information about how to do it using a free-standing Tomcat or nginx, but nothing about this particular combination.  I hope it helps you!

Obviously, in all the examples, you need to replace `jira.example.com` with your own domain!  And (duh) you need to use your own password, not `1234`

You need to have installed Java (outside the scope of this document).  Then in your user's shell RC file and probably `root`'s RC file, add

This file has been truncated. show original

its pretty straight forward. I guess i can try to wipe clean the server and install it again and keep myfingers crossed. I encountered similar if not the same problem the first time i tried the guide a week or so ago.

I dont have dir
/var/lib/tomcat*

JuergenAuer · January 31, 2019, 3:35pm

Checked this guide:

There is

sudo certbot certonly --standalone

used as command. So if you have a running webserver on port 80, you have to stop this webserver.

So (my personal position) --standalone isn't a good solution if I have a running website. That interrupts.

So you have three options:

using http-01 validation, then a file in /.well-known/acme-challenge is required (first connect port 80, then perhaps a redirect https)
using dns-01 validation, that requires a dns txt entry (without dns API it's painful)
or use the tls-alpn-01 validation. There are not much clients.

Or you add a proxy server that catches the http traffic to /.well-known/acme-challenge.

But all of these solutions are difficult, using the running webserver with /.well-known is the easiest way.

mpopov · January 31, 2019, 3:56pm

the web server is running on port 8080 but it gets redirected from 80, but when i stop jira and try cert renew i get connection refused.

Domain: servicedesk.etiometry.com
Type: connection
Detail: Fetching
http://servicedesk.etiometry.com/.well-known/acme-
challenge/cewOVwQspDLQYfnS8i3kS7Igjn5wbgup-qyncNJslDE:
Connection refused

JuergenAuer · January 31, 2019, 4:35pm

But which instance redirects?

Isn't it possible that this instance handles /.well-known/acme-challenge different?

mpopov · January 31, 2019, 4:42pm

my bad the web service works on 8443, all the requests made on port 8080 are forwarded to 8443
iptables forward requests from 80 to 8080

JuergenAuer · January 31, 2019, 4:44pm

What instance handles port 8080? Then this instance may manage /.well-known/acme-challenge separate.

mpopov · January 31, 2019, 4:47pm

Its all wrapped in JIRA’s Tomcat

system · March 2, 2019, 4:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.