I tried to renew my letsencrypt certificate for apacher server and i got the following error:
root@ip-10-0-0-121:~# certbot certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel):blackduck.fwsas.com
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for blackduck.fwsas.com
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. blackduck.fwsas.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested a5996588c20caaa4460d3eb514f58fa2.47968cdfed228e3b9cfaba7821cb1905.acme.invalid from 52.42.48.33:443. Received 2 certificate(s), first certificate had names “blackduck.fwsas.com”
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: blackduck.fwsas.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
a5996588c20caaa4460d3eb514f58fa2.47968cdfed228e3b9cfaba7821cb1905.acme.invalid
from 52.42.48.33:443. Received 2 certificate(s), first certificate
had names “blackduck.fwsas.com”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
This is probably a sign that Certbot had trouble parsing your Apache configuration and that this is also why it couldn't complete the challenge. Could you tell us more about how your Apache is configured? Are the configuration files in the usual directories for your operating system? How and where did you configure your virtual host?
The path of the config is /opt/blackduck/hub/tomcat/8.0.43/conf/web.xml . And the tomcat was installed automatically by another application. So i am not sure how the virtual host is setup. I can upload the config files in case you need it.
OK, I’ll take a step back from my original questions.
First, the recommended way to renew an existing certificate is certbot renew, not certbot certonly --apache. If you happen to request names that are exactly the same as those in an existing certificate, certbot certonly --apachewill attempt a renewal, but it will use the Certbot apache plugin, regardless of whether that is the plugin that you used to obtain the original certificate. If the apache plugin is not the correct one to use for renewing this certificate, the renewal will then fail.
So, how did you obtain the original certificate?
What would happen if you just ran certbot renew instead of certbot certonly --apache?
In case that doesn’t work: What is the relationship between Tomcat and Apache on this system? Which one is listening on port 443? Do you have Apache installed at all on this machine?
I used certbot certonly --apache to create the certificate. So i use the same command to renew my certificate again. Tomcat listens on port 443.
And when i run the certbot renew command I get the same error:
root@ip-10-0-0-121:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for blackduck.fwsas.com
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/blackduck.fwsas.com.conf produced an unexpected error: Failed authorization procedure. blackduck.fwsas.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 2474bc298f7dacc1695264e9e3c9e745.e1b34726803d9195cc3e1f1606e92de5.acme.invalid from 52.42.48.33:443. Received 2 certificate(s), first certificate had names “blackduck.fwsas.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/blackduck.fwsas.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: blackduck.fwsas.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
2474bc298f7dacc1695264e9e3c9e745.e1b34726803d9195cc3e1f1606e92de5.acme.invalid
from 52.42.48.33:443. Received 2 certificate(s), first certificate
had names “blackduck.fwsas.com”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
Is there a way i can generate a new certificate without using apache i.e by using the command sudo certbot certonly --standalone --preferred-challenges http -d <Domain-Name (example.com)> ?
I was looking into the history command. Apparently they installed apache just for this purpose using the command sudo apt-get install python-certbot-apache . So there is no relation between apache and the tomcat which is used by the tool. only the tomcat listens in the port 443. So i would like to create a new certiticate without apache. is it possible?
Sure, so I think that what happened here was that when you originally got the certificate, Apache was listening only on port 80. certbot --apache then temporarily reconfigured Apache to listen on port 443, just for a few seconds. Then after you set up the certificate in Tomcat, Tomcat started to listen on port 443.
The --standalone approach does seem better in principle, but it would require port 80 to be available. Do you know whether anything is listening on port 80? If you still have Apache installed, it might still be listening on port 80 but it might be possible to stop Apache (and eventually to uninstall it entirely if you decide that you did need it only for getting certificates) and thus allow certbot --standalone to use port 80 to get the certificate.
Another thing to be sure of when trying this strategy is that there are no firewall rules that would prevent inbound connections on port 80 for this purpose.
I resolved the issue. The problem was totally weird. My security group in EC2 didnt block port 80, also no other application was listening on port 80. For some reason, i was not able to access port 80 remotely. Then i restarted the system and it solved the issue. Probably some unknown process was blocking the port.
Really appreciate it.