Https://letsencrypt.org/docs/failed-validation-limit/ [Apache Tomcat]

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:esda.hkmlcps.edu.hk

I ran this command:certbot certonly --webroot

It produced this output:An unexpected error occurred:
Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache Tomcat

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

What's your question?

How long can I re-try and how can I use letsencrypt ssl

Thanks

One hour, but if you don't find out what caused the

you will get to this same situation really fast.

When an authorisation fails you should get more info. Tell us.

How can fix it?

Input the webroot for esda.hkmlcps.edu.hk: (Enter 'c' to cancel): C:\esda_new\Apache_Tomcat_9.0\conf

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: esda.hkmlcps.edu.hk
Type: connection
Detail: 203.188.220.98: Fetching http://esda.hkmlcps.edu.hk/.well-known/acme-challenge/Mv6_XBZ4UWfRRyONa1iy36g3nU4gVnAmMiWn8Yo7Qs0: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.

Check your firewalls. You need to allow connections from the entire internet if http-01 validation has to work.

If you can't, check dns-01 authentication.

dns-01 authentication result as below:

All OK!

OK

No issues were found with esda.hkmlcps.edu.hk. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

That looks like a letdebug.net output.

Dns-01 is nearly always possible, that's almost never an issue. Actually using it requires careful attention.

Please use http-01 if you can.

http-01 result

ANotWorking

ERROR

esda.hkmlcps.edu.hk has an A (IPv4) record (203.188.220.98) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

Get "http://esda.hkmlcps.edu.hk/.well-known/acme-challenge/letsdebug-test": dial tcp 203.188.220.98:80: connect: connection refused

Trace:
@0ms: Making a request to http://esda.hkmlcps.edu.hk/.well-known/acme-challenge/letsdebug-test (using initial IP 203.188.220.98)
@0ms: Dialing 203.188.220.98
@263ms: Experienced error: dial tcp 203.188.220.98:80: connect: connection refused

IssueFromLetsEncrypt

ERROR

A test authorization for esda.hkmlcps.edu.hk to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

203.188.220.98: Fetching http://esda.hkmlcps.edu.hk/.well-known/acme-challenge/tECvWcm6yNDKgXV2BzWM4FHoxI___lE22vGm9qcxXHc: Connection refused

Your firewall must allow the HTTP [TCP port 80] connection requests.

Then you could switch to using DNS-01 authentication.
Note: That is not as easy to automate as HTTP-01 authentication.
But you could do it manually [if you need a cert right away].

I allow it via windows firewall, any step I need to do more?

Would it be web sever cofig issues?

Here is the config

<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
    maxThreads="150" minSpareThreads="4"/>
-->


<!-- A "Connector" represents an endpoint by which requests are received
     and responses are returned. Documentation at :
     Java HTTP Connector: /docs/config/http.html
     Java AJP  Connector: /docs/config/ajp.html
     APR (HTTP/AJP) Connector: /docs/apr.html
     Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="443" />


		   <Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       port="443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="conf/.keystore" keystorePass="changeit"
       clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.1,TLSv1.2" URIEncoding="UTF-8"/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
           port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="443" />
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
     This connector uses the NIO implementation. The default
     SSLImplementation will depend on the presence of the APR/native
     library and the useOpenSSL attribute of the
     AprLifecycleListener.
     Either JSSE or OpenSSL style configuration may be used regardless of
     the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                     type="RSA" />
    </SSLHostConfig>
</Connector>
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
     This connector uses the APR/native implementation which always uses
     OpenSSL for TLS.
     Either JSSE or OpenSSL style configuration may be used. OpenSSL style
     configuration is used below.
-->
<!--
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                     certificateFile="conf/localhost-rsa-cert.pem"
                     certificateChainFile="conf/localhost-rsa-chain.pem"
                     type="RSA" />
    </SSLHostConfig>
</Connector>
-->

<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector protocol="AJP/1.3"
           address="::1"
           port="8009"
           redirectPort="443" />
-->

<!-- An Engine represents the entry point (within Catalina) that processes
     every request.  The Engine implementation for Tomcat stand alone
     analyzes the HTTP headers included with the request, and passes them
     on to the appropriate Host (virtual host).
     Documentation at /docs/config/engine.html -->

<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">

  <!--For clustering, please take a look at documentation at:
      /docs/cluster-howto.html  (simple how to)
      /docs/config/cluster.html (reference documentation) -->
  <!--
  <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
  -->

  <!-- Use the LockOutRealm to prevent attempts to guess user passwords
       via a brute-force attack -->
  <Realm className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
  </Realm>

  <Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true">

    <!-- SingleSignOn valve, share authentication between web applications
         Documentation at: /docs/config/valve.html -->
    <!--
    <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
    -->

    <!-- Access log processes all example.
         Documentation at: /docs/config/valve.html
         Note: The pattern used is equivalent to using pattern="common" -->
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log" suffix=".txt"
           pattern="%h %l %u %t &quot;%r&quot; %s %b" />

  </Host>
</Engine>

Are there any other firewalls?

If I can access http website, is it mean that firewall setting is ok?

On the other hand, will there any issues not about firewalls setting that I need to check?

dose your router port forwarded to it?

That depends:

• are you accessing it from the school network
• are you accessing it from a trusted IP / trusted network
• are you using a VPN

OR

• are you using a random public Internet IP?

There are many ways to access it.
ACME requires that the Internet reach your client via HTTP.
But LE can't reach it.
Let's Debug can't reach it.
And I can't reach it either:

curl -Ii http://esda.hkmlcps.edu.hk/.well-known/acme-challenge/Test_File-1234
curl: (56) Recv failure: Connection reset by peer

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.