Moving from letsencrypt using TLS-SNI-01 challenge to certbot client using HTTP

ahocek · January 30, 2019, 8:50pm

I have been using letsencrypt client for my domain using TLS-SNI-01 without any issues. With support being removed for TLS-SNI-01 and having a version that was not upgradeable I decided to switch to certbot client and use HTTP challenge instead.

My domain is: apps dot twexxt dot com

I ran this command: sudo /usr/bin/certbot --apache --preferred-challenges http

It produced this output:
You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/apps.twexxt.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for apps.twexxt.com
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. apps.twexxt.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://apps.twexxt.com/.well-known/acme-challenge/ZmikhkFUoDiZDZCmaC-QnuhJT-mBcFm57sGIh87XzLs: “Apache Tomcat/7.0.52 (Ubuntu) - Error report<!–H1 {font-family:Tahoma,Arial,sans-serif;color:”

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: apps.twexxt.com
Type: unauthorized
Detail: Invalid response from
http://apps.twexxt.com/.well-known/acme-challenge/ZmikhkFUoDiZDZCmaC-QnuhJT-mBcFm57sGIh87XzLs:
“Apache Tomcat/7.0.52 (Ubuntu) - Error
report<!–H1
{font-family:Tahoma,Arial,sans-serif;color:”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): Tomcat 7.0.52

The operating system my web server runs on is (include version): Ubuntu 14.04 (trusty)

My hosting provider, if applicable, is: aws

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

jmorahan · January 30, 2019, 8:52pm

Which ports are Apache and Tomcat listening on?

jmorahan · January 30, 2019, 8:56pm

Hmm, just checked and it looks like Apache is on 80 and 443, so that should be working.

Could you post the output of this command please?

sudo apachectl -S

JuergenAuer · January 30, 2019, 8:58pm

Hi @ahocek

we had the same yesterday.

Your Tomcat answers, not your Apache.

So check your config, what's the webroot of your Tomcat?

Use this Tomcat webroot, not your Apache-webroot.

certbot run -a webroot -i apache -w yourTomcatWebroot -d example.com

ahocek · January 30, 2019, 9:14pm

That is correct about both ports 80and 443 being used.

Below is the output for sudo apachectl -S

ubuntu@ip-172-30-3-171:~$ sudo apachectl -S

sudo: unable to resolve host ip-172-30-3-171

VirtualHost configuration:

*:443                  apps.twexxt.com

(/etc/apache2/sites-enabled/000-default-l
e-ssl.conf:2)

*:80                   apps.twexxt.com

(/etc/apache2/sites-enabled/000-default.c
onf:1)

ServerRoot: "/etc/apache2"

Main DocumentRoot: "/var/www"

Main ErrorLog: "/var/log/apache2/error.log"

Mutex ssl-stapling: using_defaults

Mutex ssl-cache: using_defaults

Mutex default: dir="/var/lock/apache2" mechanism=fcntl

Mutex watchdog-callback: using_defaults

PidFile: "/var/run/apache2/apache2.pid"

Define: DUMP_VHOSTS

Define: DUMP_RUN_CFG

User: name="www-data" id=33

Group: name="www-data" id=33

jmorahan · January 30, 2019, 9:20pm

Could you share the contents of this file?

(Assuming you want to get the apache plugin working. If not, you can try the method that @JuergenAuer suggests)

ahocek · January 30, 2019, 9:26pm

Hi Jurgen,

I ran the command as you suggested for my setup:

certbot run -a webroot -i apache -w /var/lib/tomcat7/webapps -d

apps.twexxt.com

I am still getting the same error.

The output was:

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for apps.twexxt.com

Using the webroot path /var/lib/tomcat7/webapps for all unmatched

domains.

Waiting for verification...

Cleaning up challenges

Failed authorization procedure. apps.twexxt.com (http-01):

urn:ietf:params:acme:error:unauthorized :: The client lacks
sufficient authorization :: Invalid response from
:
"Apache Tomcat/7.0.52 (Ubuntu)

Error report<!–H1
{font-family:Tahoma,Arial,sans-serif;color:"

JuergenAuer · January 30, 2019, 9:27pm

PS: I forgot one thing.

There was a redirect Apache + http -> Tomcat + https.

You don’t have a redirect, so Apache may work directly.

So it’s not exact the same situation.

JuergenAuer · January 30, 2019, 9:31pm

Same problem as yesterday. This may be your webapps root.

Your real root may be something like

/var/lib/tomcat7/webapps/ROOT/

It was able to load the website direct, then this address was shown. You have a redirect.

If you remove your redirect, you may see the same address.

ahocek · January 30, 2019, 9:53pm

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
    JkMount /* worker1

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

jmorahan · January 30, 2019, 9:57pm

Oh… mod_jk… hmm. Haven’t used that in a long time.

Try adding this after the JkMount line:

JkUnMount /.well-known/*  worker1

ahocek · January 30, 2019, 10:02pm

Thank you, Juergen.
Using the actual root path for tomcat worked:
sudo certbot run -a webroot -i apache -w /var/lib/tomcat7/webapps/ROOT/ -d apps.twexxt.com

JuergenAuer · January 30, 2019, 10:04pm

Yep, now there is a brand new Letsencrypt certificate:

https://apps.twexxt.com/AdminConsole/login.jsp

ahocek · January 30, 2019, 10:25pm

Thanks @jmorahan for now I will use tomcat and at a later time I will revisit the apache configuration and try what you suggested.

system · March 1, 2019, 10:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.