I’m having a spring boot application with embedded Tomcat,(No web server installed. Application is running from JAR) certbot asks me to create a well-known folder. Where should I create it?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: demo.azure.com

I ran this command: certbot certonly -v -manual

It produced this output:

Requesting a certificate for demo.azure.com
Performing the following challenges:
http-01 challenge for demo.azure.com

Create a file containing just this data:

Zw_IxNkshuophnnkjddswrhnjcdssDSDGB.2jfvnkueghui
And make it available on your web server at this URL:
http://demo.azure.com/.well-known/acme-challenge/Zw_IxNkshuophnnkjddswrhnjcdssDSDGB

My web server is (include version): Not applicable

The operating system my web server runs on is (include version): Windows server 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.16.0

Hi @Pyarel and welcome to the LE community forum

I think that you would do well by including the --webroot parameter.
For that you would either:

• need to know where the document root path is and place a test file there to confirm accessibility
• be able to specify a path for all challenge requests (/.well-known/acme-challenge/)
  [not sure how that is handled within your app]

OR

• don't use HTTP authentication - how about DNS auth?

Other options:

• Use a web server as a reverse proxy to your application (e.g. nginx or Caddy). Then you can obtain your certificate and terminate TLS at the reverse proxy.

• Use Certbot's --standalone feature. You will have to temporarily stop your application when requesting and renewing certificates, because --standalone needs port 80 for itself. You may be able to automate the stopping and restarting of your application by specifying commands to Certbot's --pre-hook and --post-hook options.

Hi. Thanks for the reply.
I will try the DNS based auth and update you.

Hi Thanks for the reply.
To use the standalone cmd, I need to install certbot in the same instance in which my application is running right?
Because currently I’m using -manual as certbot is running on machine other than my target webserver

Hi Thanks for the reply.
To use the standalone cmd, I need to install certbot in the same instance in which my application is running right?
Because currently I’m using -manual as certbot is running on machine other than my target webserver

Yes, that's correct. Certbot is most able to automate the certificate request and deployment process when it's running on the same machine where the web server is located.

Thank you. I will try this and update here!.

Hi thank you.This solution worked for generating the certificate successfully. But when I use the certificate it’s showing certificate is invalid in the browser.
Any idea why this could happen?

Is demo.azure.com your real domain name, or did you replace it for your forum post?

When you renew your certificate, the files will be updated but you need to ensure your tomcat configuration is pointing to the latest files. Normally this is via a symbolic link.

You also need to restart tomcat when your cert files change.

Used it just as an example for the forum post

Hi. Thank for the reply. I have updated the spring boot configuration to point to the certificate. Restarted the application. The issue still persists

It is quite difficult to troubleshoot this without any specific details...

What shows?:
certbot certificates

Used it just as an example for the forum post

It would be great to know your real domain name so that we could check on the problem for ourselves.

I forgot if you said whether you're using Tomcat with a JKS or with PEM files, but one thing to consider is that, when you do a renewal with Certbot, Certbot will only save updated PEM files. If you happen to have created a JKS file based on those PEM files, you'll have to update your JKS file, too.

Certify The Web also has a Deploy to Tomcat option (Task), just so you know. It requires a version of tomcat that works with PKCS12 certificate containers (e.g. PFX). It can also restart tomcat.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.