Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/jira.accentedge.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/jira.accentedge.com/privkey.pem
Your cert will expire on 2023-09-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"
My web server is (include version): Apache
The operating system my web server runs on is (include version): Ubuntu
My hosting provider, if applicable, is: AWS Ec2 instance
I can login to a root shell on my machine (yes or no, or I don't know): Yes i can login
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
If you got the certificate via a method other than certbot --apache, Certbot will not automatically reload Apache for you. You may have to reload Apache manually for it to check for new certificates.
If so, you can also choose to add a --deploy-hook option to your Certbot configuration to run the command to reload Apache automatically whenever certificates are renewed.
$ nmap -Pn -p80,443 jira.accentedge.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-20 18:39 UTC
Nmap scan report for jira.accentedge.com (18.218.164.94)
Host is up (0.082s latency).
rDNS record for 18.218.164.94: ec2-18-218-164-94.us-east-2.compute.amazonaws.com
PORT STATE SERVICE
80/tcp open http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 2.03 seconds
Thanks for the quick response.
Initially i configured Let's Encrypt SSl on Jira with the help of this article on github HOWTO Configure Atlassian Jira to use Letsencrypt certificate · GitHub,
It was running fine with ssl, but recently i realized that my cert is expired so i renewed it using the command "certbot renew". It says that it has successfully renewd the certificate but when i ran the Jira service on my browser it doesn't pick the renewed certificate.
I tried again by adding --deploy-hook to the command but still it doesn't work.
Those installation instructions [post #10] may be outdated.
There should be a way to avoid the whole keystore process and have Jira use the .pem files directly.
copied from the instruction page:
I did this on an Ubuntu 16.04 machine. I used the OpenJDK 8 for my Java install, so my $JAVA_HOME is /usr/lib/jvm/java-8-openjdk-amd64/jre
$ sudo su - # Become root (much easier)
# cd $JAVA_HOME
Create a PKCS12 that contains both your full chain and the private key
# openssl pkcs12 -export -out /tmp/jira.example.com_fullchain_and_key.p12 -in /etc/letsencrypt/live/jira.example.com/fullchain.pem -inkey /etc/letsencrypt/live/jira.example.com/privkey.pem -name jira
Convert that PKCS12 to a JKS
# keytool -importkeystore -deststorepass 1234 -destkeypass 1234 -destkeystore jira.jks -srckeystore /tmp/jira.example.com_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass 1234 -alias jira
If the system gives you a warning about PKCS12, it may tell you to run the following. Go ahead.
# keytool -importkeystore -srckeystore jira.jks -destkeystore jira.jks -deststoretype pkcs12
Specifically, the --deploy-hook option is meant to be used with commands that need to be run in order to deploy the certificate. It does not automatically figure out what those commands should be; you have to tell it. Like possibly the commands that @rg305 mentions above, perhaps combined into a single shell script, if those commands indeed need to be re-run in order to convert the certificate and key into a JKS format.
If your web server is pointing to a JKS file, that is definitely not automatically updated with the new certificate and new key by Certbot, unless you explicitly tell it commands to run in order to accomplish that (like via --deploy-hook and specifying those exact commands).