Getting error when try to renew the cert on self hosted JIRA instance


#1

Hi there im trying to deploy ssl on our new JIRA instance which will be public and i followed this guide


Everything workout fine until i tried to renew the cert with sudo certbot renew --dry-run
My domain is:
servicedesk.etiometry.com
I ran this command:
sudo certbot renew --dry-run
It produced this output:
when i try to dry run renew im getting the following error
Domain: servicedesk.etiometry.com
Type: unauthorized
Detail: Invalid response from
http://servicedesk.etiometry.com/.well-known/acme-challenge/-hK239it92z5jQAyLJlfeGJrFvfc-dFDuJwCJF-Pe9I
[38.111.227.73]: 503
My web server is (include version):
Apache Tomcat/8.5.32
The operating system my web server runs on is (include version):
ubuntu 16.04
Linux servicedesk 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
My hosting provider, if applicable, is:
selfhosting
I can login to a root shell on my machine (yes or no, or I don’t know):
root shell access
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0


#2

Hi @mpopov

in this installation, do you have a webroot? So that you can create a test file (file name 1234) in

/.well-known/acme-challenge

and load this file with your browser

http://servicedesk.etiometry.com/.well-known/acme-challenge/1234

PS: But checking your https you have a certificate created yesterday. So I would recheck this in two months.


#3

HI @JuergenAuer

Thanks, for the response.
I’m not sure where the webroot of the Tomcat is. I know the cert is good for another 89 days, but I’m trying to iron this out because we are planning to go live in a month or so. I want to have everything working so we don’t have any service interruptions.

Edit:
I poked around a little bit more and now im getting this

Attempting to renew cert (servicedesk.etiometry.com) from 
/etc/letsencrypt/renewal/servicedesk.etiometry.com.conf produced an unexpected error: Failed 
authorization procedure. servicedesk.etiometry.com (http-01): 
urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response 
from http://servicedesk.etiometry.com/.well-known/acme-challenge/6pgIAlP- 
DTgvzCzFykg86ZF6GyOHxJ4r8hz6ADTi4Wg: "<!DOCTYPE html><html lang=\"en\"><head><meta 
charset=\"utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"><title>Oops, you". 
Skipping.

#4

Other users have

/var/lib/tomcat7/webapps/ROOT/

Check, if this directory exists. If yes, add two subdirectories

/var/lib/tomcat7/webapps/ROOT/.well-known/acme-challenge

there the test file.

But I don’t understand it. If you have created a new certificate yesterday, then the renew should work today.

If not, looks like you have changed a lot of things.


#5

I guess i didnt make myself clear for which im sorry. This Tomcat comes wrapped in the JIRA install, the only changes i’ve made are creating key store and enforcing the server to use HTTPS and pointing to the created key store. Also open ports in iptables. The guide i used ->

its pretty straight forward. I guess i can try to wipe clean the server and install it again and keep myfingers crossed. I encountered similar if not the same problem the first time i tried the guide a week or so ago.

I dont have dir
/var/lib/tomcat*


#6

Checked this guide:

There is

sudo certbot certonly --standalone

used as command. So if you have a running webserver on port 80, you have to stop this webserver.

So (my personal position) --standalone isn’t a good solution if I have a running website. That interrupts.

So you have three options:

  • using http-01 validation, then a file in /.well-known/acme-challenge is required (first connect port 80, then perhaps a redirect https)
  • using dns-01 validation, that requires a dns txt entry (without dns API it’s painful)
  • or use the tls-alpn-01 validation. There are not much clients.

Or you add a proxy server that catches the http traffic to /.well-known/acme-challenge.

But all of these solutions are difficult, using the running webserver with /.well-known is the easiest way.


#7

the web server is running on port 8080 but it gets redirected from 80, but when i stop jira and try cert renew i get connection refused.

Domain: servicedesk.etiometry.com
Type: connection
Detail: Fetching
http://servicedesk.etiometry.com/.well-known/acme-
challenge/cewOVwQspDLQYfnS8i3kS7Igjn5wbgup-qyncNJslDE:
Connection refused


#8

But which instance redirects?

Isn’t it possible that this instance handles /.well-known/acme-challenge different?


#9

my bad the web service works on 8443, all the requests made on port 8080 are forwarded to 8443
iptables forward requests from 80 to 8080


#10

What instance handles port 8080? Then this instance may manage /.well-known/acme-challenge separate.


#11

Its all wrapped in JIRA’s Tomcat