I serve Tomcat app from my Ubuntu server. I want to put an SSL encryption, but since the bug the PPA repositories have not been updated, so I have trouble configuring the encryption. I have tried/tested:
The last one being actually the path from my DocumentRoot in apache settings. My question is: how do I obtain certificates for tomcat8 application on Ubuntu 16.04 using apache 2?
Please fill out the following questions - this shows up if you create a post under "Help". I'm moving your topic there as well. =] The big thing I'm interested in seeing here is the full output, but we'll probably end up needing the domain name to help as well.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Unfortunately I do not have a permission to provide my domain name. I’ve also checked https://crt.sh/ and it does not have my domain (since my domain doesn’t have a certificate issued yet).
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <redacted>
Using the webroot path /var/lib/tomcat8/webapps for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. <redacted> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://<redacted>/.well-known/acme-challenge/dxr-rVLJd0ghv0tur23w8Yi2B_XwYq2O6KVlVnsrrXY: "<!doctype html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="X-UA-Co"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: <redacted>
Type: unauthorized
Detail: Invalid response from
http://<redacted>/.well-known/acme-challenge/dxr-rVLJd0ghv0tur23w8Yi2B_XwYq2O6KVlVnsrrXY:
"<!doctype html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<meta http-equiv="X-UA-Co"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2017-09-18T15:09:02
Apache Tomcat 8 - Servlet and JSP engine 8.0.32-1ubuntu1.5
The operating system my web server runs on is (include version):
Ubuntu 16.04
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Comment on the output: A record is OK. It points to the right server. The site serves normally on http. Because of the tomcat the site is set on the reverse proxy (port 80 points to tomcat’s port 8080).
Can you place a test.txt file in /var/lib/tomcat8/webapps/.well-known/acme-challenge/ and verify that you can navigate to http://domain.com/.well-known/acme-challenge/test.txt and see the contents? It’s best to test with cURL or the like, in case there’s some interstitial page displayed before the test file contents.
The issue is that your server is not returning the actual challenge file, but rather some HTML file.
You should also check if you have an AAAA record. If so, your server needs to respond properly over IPv6 as this is the preferred protocol if an AAAA record is present.
Hopefully that works, because there’s not much more we can do without the domain. It may not be in crt.sh now, but it will be once you successfully issue a live certificate.
Thanks jared! It’s definitely not the AAAA record. It seems that I have problems with my apache configuration. If I enable tomcats default port through the firewall (8080) and visit my site explicitly through that port I can navigate to http://domain.com:8080/.well-known/acme-challenge/test.txt. But if I visit the site through the port 80 my apache rewrite rules and reverse proxy rules seem to be making some mess around. It just redirects me to my home page.
