How to renew SSL certificate on Ubuntu 16, I am using tomcat 8


#1

Getting below error to while renewing certificate. Please help me the procedure to renew certificate.

root@xxx:/letsencrypt# ./letsencrypt-auto
Upgrading certbot-auto 0.10.2 to 0.11.1…
Replacing certbot-auto…
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
Certbot doesn’t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run “letsencrypt-auto certonly” to do so. You’ll need to manually configure your web server to use the resulting certificate.


#2

How did you originally obtain the certificate ?

by default renew will try and follow the same process. Were you using something other than tomcat 8 then ?


#3

When i trying to renew i am getting below error.

Press ENTER to continue
2017-02-13 12:39:39,066:ERROR:acme.challenges:Unable to reach http://pleurx-demo.verisign.tech/.well-known/acme-challenge/YBWFPG9l3stcDQ6dL5lAxs11Od146xHPavhFWhnHla4: HTTPConnectionPool(host=‘pleurx-demo.verisign.tech’, port=80): Max retries exceeded with url: /.well-known/acme-challenge/YBWFPG9l3stcDQ6dL5lAxs11Od146xHPavhFWhnHla4 (Caused by NewConnectionError(’<requests.packages.urllib3.connection.HTTPConnection object at 0x7efd31c36850>: Failed to establish a new connection: [Errno 110] Connection timed out’,))
2017-02-13 12:39:39,066:WARNING:letsencrypt.plugins.manual:Self-verify of challenge failed.
2017-02-13 12:39:45,661:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/pleurx-demo.verisign.tech.conf produced an unexpected error: Failed authorization procedure. pleurx-demo.verisign.tech (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to pleurx-demo.verisign.tech. Skipping.


#4

Could you provide some information on the question please. …

How did you originally obtain the certificate ?


#5

My Colleague has done the SSL certificate installation and configuration, he left the organisation. We are using only tomcat 8


#6

Can you provide the contents of

/etc/letsencrypt/renewal/pleurx-demo.verisign.tech.conf

(assuming that’s the correct domain name) and

/etc/letsencrypt/cli.ini

please - then we may be able to tell how the certificate was created. If not, you may be better creating a new certificate, rather than a “renew”.


#7

renew_before_expiry = 30 days

version = 0.9.3
cert = /etc/letsencrypt/live/pleurx-demo.verisign.tech/cert.pem
privkey = /etc/letsencrypt/live/pleurx-demo.verisign.tech/privkey.pem
chain = /etc/letsencrypt/live/pleurx-demo.verisign.tech/chain.pem
fullchain = /etc/letsencrypt/live/pleurx-demo.verisign.tech/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
installer = None
account = 7f1fda802ca0817f88eeb06c7d4942ee
manual_public_ip_logging_ok = True
server = https://acme-v01.api.letsencrypt.org/directory

cli.ini file is not available under /etc/letsencrypt.


#8

root@PLEURX-DEMO:/letsencrypt/certbot/tests/testdata# pwd
/letsencrypt/certbot/tests/testdata
root@PLEURX-DEMO:/letsencrypt/certbot/tests/testdata# cat cli.ini
agree-dev-preview = True
root@PLEURX-DEMO:/letsencrypt/certbot/tests/testdata#


#9

It looks as if the certificate was generated manually - which is why the “renew” fails.

I’m assuming your tomcat isn’t on port 80 - are you happy to open ports 80 and 143 in your firewall ( if there is a firewall) ? if so I’d suggest using the standalone method in certbot - https://certbot.eff.org/docs/using.html#certbot-commands


#10

Port 80 is already opened, both inbound and outbound, but still its not working

Why we need to open port 143 ?

2017-02-14 10:02:56,192:ERROR:acme.challenges:Unable to reach http://pleurx-demo.verisign.tech/.well-known/acme-challenge/R9WpzyL9KvY80mWqb-34CqmUt92JQtE0qKrk6vn6P-Y: HTTPConnectionPool(host=‘pleurx-demo.verisign.tech’, port=80): Max retries exceeded with url: /.well-known/acme-challenge/R9WpzyL9KvY80mWqb-34CqmUt92JQtE0qKrk6vn6P-Y (Caused by NewConnectionError(’<requests.packages.urllib3.connection.HTTPConnection object at 0x7fef56c60850>: Failed to establish a new connection: [Errno 111] Connection refused’,))
2017-02-14 10:02:56,192:WARNING:letsencrypt.plugins.manual:Self-verify of challenge failed.
2017-02-14 10:03:02,713:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/pleurx-demo.verisign.tech.conf produced an unexpected error: Failed authorization procedure. pleurx-demo.verisign.tech (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to pleurx-demo.verisign.tech. Skipping.


#11

I suspect 143 was a typo in @serverco’s comment and port 443 (HTTPS) was meant.


#12

443 also opened , but still getting this error.


#13

I tried all the way using “letsencrypt renewal” command to renew the certificate, but still no luck . Getting same error, Is there any other manual method to renew the license, Please help me on this. I am new to letsencrypt.

Press ENTER to continue
2017-02-14 10:55:20,671:ERROR:acme.challenges:Unable to reach http://pleurx-demo.verisign.tech/.well-known/acme-challenge/rTcs3NfMNbcNzX78Blm32cZETku-fw8MX9C7-4JJbVI: HTTPConnectionPool(host=‘pleurx-demo.verisign.tech’, port=80): Max retries exceeded with url: /.well-known/acme-challenge/rTcs3NfMNbcNzX78Blm32cZETku-fw8MX9C7-4JJbVI (Caused by NewConnectionError(’<requests.packages.urllib3.connection.HTTPConnection object at 0x7fc00f09f850>: Failed to establish a new connection: [Errno 111] Connection refused’,))
2017-02-14 10:55:20,672:WARNING:letsencrypt.plugins.manual:Self-verify of challenge failed.
2017-02-14 10:55:27,251:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/pleurx-demo.verisign.tech.conf produced an unexpected error: Failed authorization procedure. pleurx-demo.verisign.tech (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to pleurx-demo.verisign.tech. Skipping.


#14

Thanks Serverco, what is full command i need to use for renwal using certbot


#15

Assuming certbot is in the path then

certbot certonly --standalone -d pleurx-demo.verisign.tech

if not then you might need to go to the directory where you installed certbot and use

./certbot certonly --standalone -d pleurx-demo.verisign.tech


Renewing certs on Tomcat 8
#16

Thank you so much Serverco
Looks like i got a new certificate. Now i need to create a JKS file from fullchain.pem & privatekey.pem and then make a change on tomcat config file

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for pleurx-demo.verisign.tech
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/pleurx-demo.verisign.tech/fullchain.pem. Your
    cert will expire on 2017-05-16. To obtain a new or tweaked version
    of this certificate in the future, simply run certbot-auto again.
    To non-interactively renew all of your certificates, run
    "certbot-auto renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.