Getting error when try to renew the cert on self hosted JIRA instance


Hi there im trying to deploy ssl on our new JIRA instance which will be public and i followed this guide

Everything workout fine until i tried to renew the cert with sudo certbot renew --dry-run
My domain is:
I ran this command:
sudo certbot renew --dry-run
It produced this output:
when i try to dry run renew im getting the following error
Type: unauthorized
Detail: Invalid response from
[]: 503
My web server is (include version):
Apache Tomcat/8.5.32
The operating system my web server runs on is (include version):
ubuntu 16.04
Linux servicedesk 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
root shell access
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0


Hi @mpopov

in this installation, do you have a webroot? So that you can create a test file (file name 1234) in


and load this file with your browser

PS: But checking your https you have a certificate created yesterday. So I would recheck this in two months.


HI @JuergenAuer

Thanks, for the response.
I’m not sure where the webroot of the Tomcat is. I know the cert is good for another 89 days, but I’m trying to iron this out because we are planning to go live in a month or so. I want to have everything working so we don’t have any service interruptions.

I poked around a little bit more and now im getting this

Attempting to renew cert ( from 
/etc/letsencrypt/renewal/ produced an unexpected error: Failed 
authorization procedure. (http-01): 
urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response 
DTgvzCzFykg86ZF6GyOHxJ4r8hz6ADTi4Wg: "<!DOCTYPE html><html lang=\"en\"><head><meta 
charset=\"utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"><title>Oops, you". 


Other users have


Check, if this directory exists. If yes, add two subdirectories


there the test file.

But I don’t understand it. If you have created a new certificate yesterday, then the renew should work today.

If not, looks like you have changed a lot of things.


I guess i didnt make myself clear for which im sorry. This Tomcat comes wrapped in the JIRA install, the only changes i’ve made are creating key store and enforcing the server to use HTTPS and pointing to the created key store. Also open ports in iptables. The guide i used ->

its pretty straight forward. I guess i can try to wipe clean the server and install it again and keep myfingers crossed. I encountered similar if not the same problem the first time i tried the guide a week or so ago.

I dont have dir


Checked this guide:

There is

sudo certbot certonly --standalone

used as command. So if you have a running webserver on port 80, you have to stop this webserver.

So (my personal position) --standalone isn’t a good solution if I have a running website. That interrupts.

So you have three options:

  • using http-01 validation, then a file in /.well-known/acme-challenge is required (first connect port 80, then perhaps a redirect https)
  • using dns-01 validation, that requires a dns txt entry (without dns API it’s painful)
  • or use the tls-alpn-01 validation. There are not much clients.

Or you add a proxy server that catches the http traffic to /.well-known/acme-challenge.

But all of these solutions are difficult, using the running webserver with /.well-known is the easiest way.


the web server is running on port 8080 but it gets redirected from 80, but when i stop jira and try cert renew i get connection refused.

Type: connection
Detail: Fetching
Connection refused


But which instance redirects?

Isn’t it possible that this instance handles /.well-known/acme-challenge different?


my bad the web service works on 8443, all the requests made on port 8080 are forwarded to 8443
iptables forward requests from 80 to 8080


What instance handles port 8080? Then this instance may manage /.well-known/acme-challenge separate.


Its all wrapped in JIRA’s Tomcat

closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.