Hi there im trying to deploy ssl on our new JIRA instance which will be public and i followed this guide
Everything workout fine until i tried to renew the cert with sudo certbot renew --dry-run
My domain is:
servicedesk.etiometry.com
I ran this command:
sudo certbot renew --dry-run
It produced this output:
when i try to dry run renew im getting the following error
Domain: servicedesk.etiometry.com
Type: unauthorized
Detail: Invalid response from
http://servicedesk.etiometry.com/.well-known/acme-challenge/-hK239it92z5jQAyLJlfeGJrFvfc-dFDuJwCJF-Pe9I
[38.111.227.73]: 503
My web server is (include version):
Apache Tomcat/8.5.32
The operating system my web server runs on is (include version):
ubuntu 16.04
Linux servicedesk 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
My hosting provider, if applicable, is:
selfhosting
I can login to a root shell on my machine (yes or no, or I don’t know):
root shell access
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot): certbot 0.28.0
Hi @mpopov
in this installation, do you have a webroot? So that you can create a test file (file name 1234) in
/.well-known/acme-challenge
and load this file with your browser
http://servicedesk.etiometry.com/.well-known/acme-challenge/1234
PS: But checking your https you have a certificate created yesterday. So I would recheck this in two months.
HI @JuergenAuer
Thanks, for the response.
I’m not sure where the webroot of the Tomcat is. I know the cert is good for another 89 days, but I’m trying to iron this out because we are planning to go live in a month or so. I want to have everything working so we don’t have any service interruptions.
Edit:
I poked around a little bit more and now im getting this
Attempting to renew cert (servicedesk.etiometry.com) from
/etc/letsencrypt/renewal/servicedesk.etiometry.com.conf produced an unexpected error: Failed
authorization procedure. servicedesk.etiometry.com (http-01):
urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response
from http://servicedesk.etiometry.com/.well-known/acme-challenge/6pgIAlP-
DTgvzCzFykg86ZF6GyOHxJ4r8hz6ADTi4Wg: "<!DOCTYPE html><html lang=\"en\"><head><meta
charset=\"utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"><title>Oops, you".
Skipping.
Other users have
/var/lib/tomcat7/webapps/ROOT/
Check, if this directory exists. If yes, add two subdirectories
/var/lib/tomcat7/webapps/ROOT/.well-known/acme-challenge
there the test file.
But I don't understand it. If you have created a new certificate yesterday, then the renew should work today.
If not, looks like you have changed a lot of things.
I guess i didnt make myself clear for which im sorry. This Tomcat comes wrapped in the JIRA install, the only changes i’ve made are creating key store and enforcing the server to use HTTPS and pointing to the created key store. Also open ports in iptables. The guide i used ->
its pretty straight forward. I guess i can try to wipe clean the server and install it again and keep myfingers crossed. I encountered similar if not the same problem the first time i tried the guide a week or so ago.
I dont have dir
/var/lib/tomcat*
Checked this guide:
There is
sudo certbot certonly --standalone
used as command. So if you have a running webserver on port 80, you have to stop this webserver.
So (my personal position) --standalone isn't a good solution if I have a running website. That interrupts.
So you have three options:
- using http-01 validation, then a file in /.well-known/acme-challenge is required (first connect port 80, then perhaps a redirect https)
- using dns-01 validation, that requires a dns txt entry (without dns API it's painful)
- or use the tls-alpn-01 validation. There are not much clients.
Or you add a proxy server that catches the http traffic to /.well-known/acme-challenge.
But all of these solutions are difficult, using the running webserver with /.well-known is the easiest way.
the web server is running on port 8080 but it gets redirected from 80, but when i stop jira and try cert renew i get connection refused.
Domain: servicedesk.etiometry.com
Type: connection
Detail: Fetching
http://servicedesk.etiometry.com/.well-known/acme-
challenge/cewOVwQspDLQYfnS8i3kS7Igjn5wbgup-qyncNJslDE:
Connection refused
But which instance redirects?
Isn't it possible that this instance handles /.well-known/acme-challenge different?
my bad the web service works on 8443, all the requests made on port 8080 are forwarded to 8443
iptables forward requests from 80 to 8080
What instance handles port 8080? Then this instance may manage /.well-known/acme-challenge separate.
Its all wrapped in JIRA’s Tomcat
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.