Not able to install SSL for my domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:www.enterpriseindia.net

I ran this command: sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly --webroot -w /var/lib/tomcat8/webapps/nepportal -d www.enterpriseindia.net

It produced this output:

Reporting to user: The following errors were reported by the server:

Domain: www.enterpriseindia.net
Type: unauthorized
Detail: Invalid response from http://www.enterpriseindia.net/.well-known/acme-challenge/HuR7loO0weHbDMPgZOHajqR28SNkLcjw4x1hiyo7jxo: “Apache Tomcat/8.0.32 (Ubuntu) - Error reportH1 {font-family:Tah”

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. www.enterpriseindia.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.enterpriseindia.net/.well-known/acme-challenge/HuR7loO0weHbDMPgZOHajqR28SNkLcjw4x1hiyo7jxo: “Apache Tomcat/8.0.32 (Ubuntu) - Error reportH1 {font-family:Tah”

Calling registered functions
Cleaning up challenges
Removing /var/lib/tomcat8/webapps/nepportal/.well-known/acme-challenge/HuR7loO0weHbDMPgZOHajqR28SNkLcjw4x1hiyo7jxo
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1254, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 120, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 391, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. www.enterpriseindia.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.enterpriseindia.net/.well-known/acme-challenge/HuR7loO0weHbDMPgZOHajqR28SNkLcjw4x1hiyo7jxo: “Apache Tomcat/8.0.32 (Ubuntu) - Error reportH1 {font-family:Tah”
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.enterpriseindia.net
  Type: unauthorized
  Detail: Invalid response from
  http://www.enterpriseindia.net/.well-known/acme-challenge/HuR7loO0weHbDMPgZOHajqR28SNkLcjw4x1hiyo7jxo:
  “Apache Tomcat/8.0.32 (Ubuntu) -
  Error reportH1 {font-family:Tah”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): Tomcat 8

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

My hosting provider, if applicable, is:AWS

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

Hi @chandrub2004,

Can you test that, when you place files into this directory yourself, they appear in the corresponding locations on the web site?

Thank you schoen for the reply.
As my application is spring mvc and static content added under the root of the application folder will not be browsed . if we need to add the static content we need to add the same in resources folder under the root i.e nepportal/resourcecs/
Please suggest further steps

Hey i am able to get the certificate for my domain, but not able to configure the same in my ubuntu web server . can you please suggest.

After i got the certificate files i add below code in server.xml file

But getting permission denied error

I know that you've now figured it out, but one important idea is that the challenge files need to be created as static content on the site with the indicated location and content.

What kind of server are you using and what is the code that you added?

Is it possible that you ran your Let's Encrypt client application as root but that your web server application runs as a different user?

Attached is the changes i did on my tomcat server.xmlserver.txt (633 Bytes)

After i did the changes i am getting below error

Jul 29, 2018 5:14:24 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler [“http-nio-443”]
java.io.FileNotFoundException: /usr/share/tomcat8/.keystore (No such file or directory)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.(FileInputStream.java:138)
at java.io.FileInputStream.(FileInputStream.java:93)
at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:90)
at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:188)
at org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:79)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:444)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:355)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:608)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:548)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:360)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:742)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:458)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:580)
at org.apache.catalina.startup.Catalina.load(Catalina.java:603)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)

Jul 29, 2018 5:14:24 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:580)
at org.apache.catalina.startup.Catalina.load(Catalina.java:603)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:964)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
… 12 more
Caused by: java.io.FileNotFoundException: /usr/share/tomcat8/.keystore (No such file or directory)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.(FileInputStream.java:138)
at java.io.FileInputStream.(FileInputStream.java:93)
at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:90)
at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:188)
at org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:79)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:444)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:355)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:608)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:548)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:360)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:742)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:458)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
… 13 more

It looks like there's still some reference to this keystore file which your server is trying to use. Perhaps you could grep for this filename in your server configuration.

Hi @schoen, @chandrub2004,

Here the problem is that @chandrub2004 is using Nio protocol in the connector and this protocol needs a keystore (as far as I know Nio2 and APR protocols supports openssl but Nio doesn't), as @chandrub2004 didn't define it in the connector, tomcat is trying to find it in the default path /usr/share/tomcat8/.keystore and there is none so it fails.

@chandrub2004, if you want to use Nio Protocol, you should convert the certificates and key and add it to your own keystore (keep in mind that this conversion should be performed every time the certificates are renewed) and also use the right connector, something like this:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" URIEncoding="UTF-8"
keystoreFile="/etc/tomcat8/keystore/hereyour.keystore"
keystorePass="HERETHEPASSWORD"
clientAuth="false" sslProtocol="TLS" />

I wrote a post some time ago with the steps to convert the certificates and key to a keystore.

The other option is to use APR protocol, to use it you should install the package libtcnative-1 in your ubuntu server, uncomment the conf line to use it in your server.xml and create the right connector to use this APR protocol with the right directives pointing to your certificates and key.

1.- Install libtcnative-1 and its dependencies.

apt install libtcnative-1

2.- Uncomment APR conf in server.xml:

Before:

 <!--
 <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
 -->

After:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

3.- Configure the connector (something like this)

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 443 -->
<Connector
           protocol="HTTP/1.1"
           port="443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/etc/letsencrypt/live/www.enterpriseindia.co.in/cert.pem"
           SSLCertificateKeyFile="/etc/letsencrypt/live/www.enterpriseindia.co.in/privkey.pem"
           SSLCertificateChainFile="/etc/letsencrypt/live/www.enterpriseindia.co.in/chain.pem"
           SSLVerifyClient="optional" SSLProtocol="TLSv1.1+TLSv1.2"/>

Keep in mind that in the examples I used port 443 instead of 8443 because in the server.xml example you posted above you used port 443. tomcat is started with unprivileged user tomcat8 so it can't start the server in ports below 1024, to be able to start tomcat with user tomcat8 on port 443 you need to activate the directive AUTHBIND in conf file /etc/default/tomcat8

AUTHBIND=yes

I think it is installed by default but if not, you need to install the package authbind too:

apt install authbind

I can't remember whether it is configured by default by ubuntu once activated the authbind in conf file /etc/default/tomcat8, if it isn't, you would also need to give authorization to user tomcat8 to use authbind.

touch /etc/authbind/byuid/$(id -u tomcat8)
chmod 700 /etc/authbind/byuid/$(id -u tomcat8)
chown tomcat8:tomcat8 /etc/authbind/byuid/$(id -u tomcat8)

One more thing, in the server.xml you provided, you are trying to use http2 and as far as I know, it was added to tomcat 8.5 and you can't use it on tomcat 8.0.

Disclaimer: I don't use ubuntu nor tomcat

Good luck,
sahsanu

Hi Sahsanu,

Thanks for the inputs , i did the changes as suggested by you, i kept the certificate files as its and used the APR protocol, i did install libtcanative-1

add the below lines in my server.xmlserver.txt (584 Bytes)

Then Changed the AUTHBIND=yes

Later executed the

touch /etc/authbind/byuid/(id -u tomcat8) chmod 700 /etc/authbind/byuid/(id -u tomcat8)
chown tomcat8:tomcat8 /etc/authbind/byuid/$(id -u tomcat8)

Restarted the tomcat 8 , i don’t see any errors in my logs .But when i try to browse my ec2 instance url . its going to HTTP only.

Please suggest

Thanks
Chandru

The first thing you should check is whether tomcat is listening on port 443:

ss -tlpn | cat

And that there are no errors in catalina.out file /var/log/tomcat8/catalina.out. I suppose you will see some permission denied errors due tomcat8 user can’t read the files inside /etc/letsencrypt/live/ dir. If that is the case, you should copy them to another dir and give the right perms so the user tomcat8 can access them.

As root user execute below commands:

mkdir -p /etc/tomcat8/certificates/www.enterpriseindia.co.in/
chmod -R 700 /etc/tomcat8/certificates/
cp /etc/letsencrypt/live/www.enterpriseindia.co.in/{cert,chain,privkey}.pem /etc/tomcat8/certificates/www.enterpriseindia.co.in/
chmod 600 /etc/tomcat8/certificates/www.enterpriseindia.co.in/*.pem
chown -R tomcat8:tomcat8 /etc/tomcat8/certificates/

And modify the current Connector to replace the old letsencrypt paths to the new ones:

 <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Connector
           protocol="HTTP/1.1"
           port="443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/etc/tomcat8/certificates/www.enterpriseindia.co.in/cert.pem"
           SSLCertificateKeyFile="/etc/tomcat8/certificates/www.enterpriseindia.co.in/privkey.pem"
           SSLCertificateChainFile="/etc/tomcat8/certificates/www.enterpriseindia.co.in/chain.pem"
           SSLVerifyClient="optional" SSLProtocol="TLSv1.1+TLSv1.2"/>

Restart tomcat and lets see if it is working fine now.

If this works fine for you we should create a deploy-hook so certbot could perform the copy of the renewed certificate to the right path.

Cheers,
sahsanu

Wow, you know quite a lot about Tomcat for someone who doesn't use it!

Thank you @sahsanu , @schoen Finally i was able to configure my sites with SSL enabled. I did the changes suggested by you. Due to some reason it dint work.
I logged into AWS console and imported the certificate which i had generated in my ubuntu. and it worked like a charm.

Thanks once i again.
But here the challenge is i need to figure out how to renew in my AWS console .

@chandrub2004, you are welcome. I’m glad you finally get it working .

I didn’d know you had something in front of your tomcat managing connections… regarding aws console, I’ve no idea whether you can update the certificate+chain and key used in AWS Console automatically every time you renew the certificate, I suppose there is some kind of command or API to do it, something like this or similar https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html#upload-server-certificate but as I’ve no idea how AWS works I can’t advice you here.

Good luck,
sahsanu

Thank you @sahsanu .
earlier i had generated the certificate for my domain www.enterpriseindia.net now i am trying to do the same for enterpriseindia.net But i am getting an error like below. I am able to browse a file placed under my root folder of application /var/lib/tomcat8/webapps/nepportal/ .
Just for verification i placed one static HTML file and i am able to browse the same with url
http://enterpriseindia.net/index123.html

Please suggest

Reporting to user: The following errors were reported by the server:

Domain: enterpriseindia.co.in
Type:   unauthorized
Detail: Invalid response from http://enterpriseindia.co.in/.well-known/acme-challenge/rRdExZ7AysqlgH9-wrJ4DvkcuMSLm6QAkVj34AF700c: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. enterpriseindia.co.in (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://enterpriseindia.co.in/.well-known/acme-challenge/rRdExZ7AysqlgH9-wrJ4DvkcuMSLm6QAkVj34AF700c: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

Calling registered functions
Cleaning up challenges
Removing /var/lib/tomcat8/webapps/nepportal/.well-known/acme-challenge/rRdExZ7AysqlgH9-wrJ4DvkcuMSLm6QAkVj34AF700c
Removing /var/lib/tomcat8/webapps/nepportal/.well-known/acme-challenge/08CMyuR75UfZpwg-u6qOA57ySv4TCQxy7jPYF1UuM4M
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1254, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 115, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 305, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. enterpriseindia.co.in (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://enterpriseindia.co.in/.well-known/acme-challenge/rRdExZ7AysqlgH9-wrJ4DvkcuMSLm6QAkVj34AF700c: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: enterpriseindia.co.in
   Type:   unauthorized
   Detail: Invalid response from
   http://enterpriseindia.co.in/.well-known/acme-challenge/rRdExZ7AysqlgH9-wrJ4DvkcuMSLm6QAkVj34AF700c:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Hi @chandrub2004,

I’m a bit confused, you are talking about enterpriseindia.net but in the error log you are trying to issue a certificate for enterpriseindia.co.in.

Anyway, none of them will work if you try to validate them using http challenge. This is because you are “redirecting” them using a frame that a browser understands but Let’s Encrypt won’t so LE is not able to validate the domain.

$ curl -ikL enterpriseindia.co.in
HTTP/1.1 200 OK
Date: Tue, 31 Jul 2018 14:11:08 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 107
Connection: close
Content-Type: text/html; charset=UTF-8

<frameset rows='100%'  cols='100%'><frame src=http://www.enterpriseindia.co.in frameborder='0'></frameset>



$ curl -ikL enterpriseindia.net
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /YfRaZ/

HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 31 Jul 2018 14:11:16 GMT
Content-Length: 453
Age: 1
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
   "http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
  <title>National Enterprise Portal </title>
  <META name="description" content="Managed by IndiaSkillPedia Foundation">
</head>
<frameset rows="100%,*" border="0">
  <frame src="http://www.enterpriseindia.co.in" frameborder="0" />
  <frame frameborder="0" noresize />
</frameset>

<!-- pageok -->
<!-- 09 -->
<!-- -->
</html>

My advice, remove those “redirections” and point your domains to your real ips.

Also, if all of those domains are pointing to the same site and showing the same content maybe you would like to issue 1 certificate covering the 4 domains/subdomains instead of 1 certificate per domain/subdomain.

Cheers,
sahsanu

Sorry for the Confusion @sahsanu , All the Four urls are pointing to the same site i.e

www.enterpriseindia.co.in
www.enterpriseindia.net
enterpriseindia.co.in
enterpriseindia.net

Yes i want to generate only 1 certificate for all the 4 domains. Do i need to follow the same steps which i did earlier to generate the Certificate for each domain ?

Thanks
Chandru

Hello @chandrub2004,

You just need to add the other 3 domains to the command, also, if you add --cert-name directive then the certificate will be saved in the same path used in your current tomcat conf.

sudo ./certbot-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --cert-name www.enterpriseindia.co.in --webroot -w /var/lib/tomcat8/webapps/nepportal -d www.enterpriseindia.co.in,enterpriseindia.co.in,www.enterpriseindia.net,enterpriseindia.net

Note: it won't work till you remove the frame redirection used in your non www domains.

Cheers,
sahsanu

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.