Invalid response from domain

My domain is:
mec-staging.longiviti.com

I ran this command:
sudo certbot certonly -d mec-staging.longiviti.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): mec-staging.longiviti.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mec-staging.longiviti.com
Using the webroot path /opt/tomcat/webapps for all unmatched domains.
Waiting for verification…
Challenge failed for domain mec-staging.longiviti.com
http-01 challenge for mec-staging.longiviti.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mec-staging.longiviti.com
    Type: unauthorized
    Detail: Invalid response from
    http://mec-staging.longiviti.com/.well-known/acme-challenge/2bL4WCPvZvMKaNhkiUiMR9zpf8LJXHB66nxRKJjsbPo
    [13.55.177.103]: "\n\n<!–[if IE 7]>

    <html class"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version): Tomcat 8.5

The operating system my web server runs on is (include version):
Linux AMI AWS
Version: 4.14.186-146.268.amzn2.x86_64

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.6.0

Can anyone help? I don’t know where’s the problem at, the error log from certbot does not give any helpful logs for me to work on.

1 Like

/opt/tomcat/webapps is not usually the webroot of a Tomcat server. It’s usually a subdirectory in there, such as ROOT or wherever your application war got exploded.

1 Like

It seems that cerbot may be unable to correctly match the document root path for that domain.
I also see that it includes “tomcat” - which is a know complicator in these matters.
If you can find the exact path you can provide it to cerbot using the --webroot -w /your/path option.

1 Like

Thanks for the inputs guys, when I attached --webroot -w /my/path to certbot now it works generating the pem files.

But now for some reason the ssl does not work, here is my tomcat log below

17-Aug-2020 01:40:36.126 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [“http-nio-8080”]

17-Aug-2020 01:40:36.138 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [“https-jsse-nio-8443”]

and it is showing that the port to SSL(443) is now open but when I access my site, it does not open in SSL. My site is still unsecured.

1 Like

Using certonly will only get the cert - it will not install it.
I’m not sure where tomcat stores its’ config files but you will have to find it and add it in there.

1 Like

Yes I did include the keystores

So what I did was create a PKCS12
openssl pkcs12 -export -out /tmp/example.com_fullchain_and_key.p12
-in /etc/letsencrypt/live/example.com/fullchain.pem
-inkey /etc/letsencrypt/live/example.com/privkey.pem
-name tomcat

Then I convert that PKCS12 to a JKS, using java’s keytool
keytool -importkeystore
-deststorepass samplePassword -destkeypass samplePassword -destkeystore /tmp/example.com.jks
-srckeystore /tmp/example.com_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass samplePassword
-alias tomcat

Then in Tomcat server.xml, I changed the config to

Connector port=“8443” protocol=“org.apache.coyote.http11.Http11Protocol”
maxThreads=“150” SSLEnabled=“true” scheme=“https” secure=“true”
keystoreFile="/tmp/example.com.jks"
keystorePass=“samplePassword”
clientAuth=“false” sslProtocol=“TLS” />

1 Like

That doesn’t seem like it’s likely to listen on port 443!

1 Like

I must be a superuser if I’m using port 443 as binding on ports < 1024 on Linux requires more permissions , but this is tomcat user who will be using the SSL. So I cannot change the port to 443 in the Connector field.

OK, but a browser will always try to connect on port 443 when you use HTTPS without specifying another port. If your Tomcat can’t bind port 443, a browser won’t be able to make a direct HTTPS connection to it. You would probably need to use some kind of wrapper script to start Tomcat as a superuser if you want it to directly accept these HTTPS connections, or else make a host or network firewall forward incoming port 443 connections to port 8443.

(or using a different web server application as a reverse proxy to accept HTTPS connections and then forward them to your Tomcat instance)

1 Like

@schoen, they may not be able to run any service on 443:

What about a firewall (to do port translation)?

Sorry, I ended up restarted the whole process coz it’s too complicated. This time the tomcat is stored on /usr/share/tomcat8. My domain name also changed to mec-staging2.longiviti.com. I use httpd to act as the one in front of tomcat.

Surely I hope everything would be much easier (that’s what I thought).

I run /opt/letsencrypt/letsencrypt-auto --webroot -w /usr/share/tomcat8/webapps/ -d mec-staging2.longiviti.com -i apache

This is what I get on the terminal,

Requesting to rerun /opt/letsencrypt/letsencrypt-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mec-staging2.longiviti.com
Using the webroot path /usr/share/tomcat8/webapps for all unmatched domains.
Waiting for verification…
Challenge failed for domain mec-staging2.longiviti.com
http-01 challenge for mec-staging2.longiviti.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

I’m pretty sure the webroot folder is correct.

If I read that correctly, you should be using an Apache webroot instead of a Tomcat webroot.

1 Like

Thanks @rg305 that helps.
I made it until this far.

So far I made these changes in my ssl.conf,
<VirtualHost :80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.
) https://mec-staging2.longiviti.com$1 [R,L]

<VirtualHost *:443>

SSLCertificateFile /etc/letsencrypt/live/mec-staging2.longiviti.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mec-staging2.longiviti.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mec-staging2.longiviti.com/fullchain.pem

ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all

ProxyPass “/” “ajp://mec-staging2.longiviti.com:8009/” retry=0 timeout=5
ProxyPassReverse “/” “ajp://mec-staging2.longiviti.com:8009/”

</ VirtualHost>

But I’m still confused what’s missing from my configuration.

2 Likes

This can be simplified to the local IP/host (presuming it responds that way).

ProxyPass “/” “http://localhost:8009/” retry=0 timeout=5
ProxyPassReverse “/” “http://localhost:8009/”

And for future ease of renewals, you may want to allow for the challenge requests to be handled locally via Apache (rather than redirected to Tomcat).

1 Like

The good news is you have a cert and the redirection is working as expected.
You are still pending the proxy timeout issue and proper handling of the renewal requests.

1 Like

Thanks @rg305 it’s working now

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.