Inability to Renew SSL certificate on Ubuntu 18.04, Apache tomcat 8.5.58

olusola · December 14, 2020, 7:41pm

I have been trying to renew my expired ssl certificate on a vm in google cloud, O.S is Ubuntu 8.08 and webserver runs on Apache tomcat 8.5.58. I used the code:

sudo certbot certonly --force-renewal --apache -n -d [CERTIFICATE_NAME]

The result of the above code run is as below, with error codes:

root@ksdev-nnb-org-1:/app/apache-tomcat-8.5.58/bin# sudo certbot --force-renewal --apache -n -d ksdev.nnb.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ksdev.nnb.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ksdev.nnb.org (http-01): urn:ietf:params:acme:error:connection :: The server could
not connect to the client to verify the domain :: Fetching https://ksdev.nnb.org/.well-known/acme-challenge/zHwAzJF
SYhfPTAeUvJ0CAFmxGB6-v2hDoqO9E3yrMZE: Error getting validation data
IMPORTANT NOTES:

The following errors were reported by the server:
Domain: ksdev.nnb.org
Type: connection
Detail: Fetching
https://ksdev.nnb.org/.well-known/acme-challenge/zHwAzJFSYhfPTAeUvJ0CAFmxGB6-v2hDoqO9E3yrMZE:
Error getting validation data
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided

Could anyone please provide urgent solutions to this problem for me?

Osiris · December 14, 2020, 7:47pm

Please don't use that option. It doesn't help when errors present and it can lead to running into rate limits if you're not careful.

Also, the server listening on that hostname presents itself as "Nginx"? It seems I'm getting a "This website is for sale" parking site.. Not much we can help you with if the requests for your hostname aren't actually going to your server.

olusola · December 14, 2020, 8:18pm

It is an apache server. I'm sorry, I decided not to give real hostname for privacy reason. So what option should I use please?

JuergenAuer · December 14, 2020, 8:28pm

Hi @olusola

the domain name is required. A domain is public, there is no privacy.

rg305 · December 15, 2020, 5:45am

The failed request is in HTTPS, which means it must have heard a redirection.
Because the original request is always HTTP.

But all that may be mute, as you are running:

And that needs to be handled quite differently than regular Apache.

schoen · December 16, 2020, 12:57am

"Error getting validation data" is the catch-all error in the Let's Encrypt CA code when there was a network problem on connecting to your site. (In particular, it's used when Let's Encrypt hasn't written code that detects and reports a more specific error reason.)

Without knowing your domain name we (the Let's Encrypt community) can't do our own tests to figure out exactly what the problem is. It could be a firewall, IPv4/IPv6, or DNS error.

system · January 15, 2021, 12:57am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.