It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): mec-staging.longiviti.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mec-staging.longiviti.com
Using the webroot path /opt/tomcat/webapps for all unmatched domains.
Waiting for verification…
Challenge failed for domain mec-staging.longiviti.com
http-01 challenge for mec-staging.longiviti.com
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
My web server is (include version): Tomcat 8.5
The operating system my web server runs on is (include version):
Linux AMI AWS
Version: 4.14.186-146.268.amzn2.x86_64
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.6.0
Can anyone help? I don’t know where’s the problem at, the error log from certbot does not give any helpful logs for me to work on.
/opt/tomcat/webapps is not usually the webroot of a Tomcat server. It’s usually a subdirectory in there, such as ROOT or wherever your application war got exploded.
It seems that cerbot may be unable to correctly match the document root path for that domain.
I also see that it includes "tomcat" - which is a know complicator in these matters.
If you can find the exact path you can provide it to cerbot using the --webroot -w /your/path option.
Using certonly will only get the cert - it will not install it.
I’m not sure where tomcat stores its’ config files but you will have to find it and add it in there.
So what I did was create a PKCS12
openssl pkcs12 -export -out /tmp/example.com_fullchain_and_key.p12
-in /etc/letsencrypt/live/example.com/fullchain.pem
-inkey /etc/letsencrypt/live/example.com/privkey.pem
-name tomcat
Then I convert that PKCS12 to a JKS, using java’s keytool
keytool -importkeystore
-deststorepass samplePassword -destkeypass samplePassword -destkeystore /tmp/example.com.jks
-srckeystore /tmp/example.com_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass samplePassword
-alias tomcat
Then in Tomcat server.xml, I changed the config to
I must be a superuser if I’m using port 443 as binding on ports < 1024 on Linux requires more permissions , but this is tomcat user who will be using the SSL. So I cannot change the port to 443 in the Connector field.
OK, but a browser will always try to connect on port 443 when you use HTTPS without specifying another port. If your Tomcat can’t bind port 443, a browser won’t be able to make a direct HTTPS connection to it. You would probably need to use some kind of wrapper script to start Tomcat as a superuser if you want it to directly accept these HTTPS connections, or else make a host or network firewall forward incoming port 443 connections to port 8443.
Sorry, I ended up restarted the whole process coz it’s too complicated. This time the tomcat is stored on /usr/share/tomcat8. My domain name also changed to mec-staging2.longiviti.com. I use httpd to act as the one in front of tomcat.
Surely I hope everything would be much easier (that’s what I thought).
I run /opt/letsencrypt/letsencrypt-auto --webroot -w /usr/share/tomcat8/webapps/ -d mec-staging2.longiviti.com -i apache
This is what I get on the terminal,
Requesting to rerun /opt/letsencrypt/letsencrypt-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mec-staging2.longiviti.com
Using the webroot path /usr/share/tomcat8/webapps for all unmatched domains.
Waiting for verification…
Challenge failed for domain mec-staging2.longiviti.com
http-01 challenge for mec-staging2.longiviti.com
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
So far I made these changes in my ssl.conf,
<VirtualHost :80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.) https://mec-staging2.longiviti.com$1 [R,L]
<VirtualHost *:443>
…
SSLCertificateFile /etc/letsencrypt/live/mec-staging2.longiviti.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mec-staging2.longiviti.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mec-staging2.longiviti.com/fullchain.pem
…
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
The good news is you have a cert and the redirection is working as expected.
You are still pending the proxy timeout issue and proper handling of the renewal requests.