Hello

My domain is: www.dropintest.com

I ran this command: certbot certonly --webroot -d www.dropintest.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for www.dropintest.com
Input the webroot for www.dropintest.com: (Enter 'c' to cancel): /etc/letsencrypt/live/www.dropintest.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.dropintest.com
Type: unauthorized
Detail: Invalid response from http://www.dropintest.com/.well-known/acme-challenge/eLQ4J23R8KQHrtrCfmL9zMOoPkl1tMrcwGF-HM6wv28 [141.8.225.75]: "\n\n404 Not Found\n\n

Not Found

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.24.0

ADDITIONAL INFO: I'm not sure if this is important but I had a certbot provided certificate a few years ago. I let it lapse and when I tried renewing it again, y'all had changed how everything worked.

I recall I wound up with a file named bundle.pfx and had to specify it in my Tomcat server.conf files like this:

 <Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/opt/tomcat/bundle.pfx" keystorePass="cheapphone"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" keyAlias="1"/>

Hi @markatpenddotnet and welcome to the LE community forum

The problem is that "Tomcat" is not a simple system to manage.
You need to follow a guide made specifically for it - many have tried to handle it like "Apache" and all have failed.

Ok. I'm not married to Tomcat..

What are my options?

Replace Tomcat with a better supported web server?

Fine with me.

Do you have any recommendations?

I prefer open source and the simpler to set up the better.

Tomcat is already installed, and I suspect it's doing its' job.
If so, all you need to do is find the "how to install a certificate into Tomcat" guide.
[which is likely already posted somewhere on this site - as well as the Internet - no need to reinvent any wheels]

If not, or to simplify matters, I would put Tomcat behind an nginx secured proxy.
Let Tomcat do the web serving and nginx do the certs.

Here is an example using PEM files (instead of PFX/PKCS12):

You can stick to the PFX method but you will need to convert the files generated by Certbot (using openssl etc).

I note you are trying to use the --webroot method (where certbot write files to your website folder) but the path you have specified doesn't look like it's part of your website, it looks like the install folder for certbot instead. User Guide — Certbot 1.24.0 documentation

You need to give it the path so it can create a .well-known/acme-challenge folder and write a challenge response file to that, Let's Encrypt will then check http://www.dropintest.com/.well-known/acme-challenge/<challenge response file name> and expect to find it.

You've mentioned both nginx and Tomcat - which server is actually serving your website? If tomcat is proxied behind nginx then it's just nginx you have to configure, not tomcat.

I see that too (now).

@markatpenddotnet which port(s) are being handled by each?
sudo netstat -pant | grep -i listen

I have nginx installed and running.

I suspect I may have been going this route when I ceased work on this.

How can I tell if I have nginx running properly?

I think I may have nginx installed or partially installed.

I will review the setup this evening

I will run this after work and post the results.

Thank you for all the help!

This tells me I'm running Ubuntu 16

root@instance-1:~# lsb_release -a

No LSB modules are available.

Distributor ID: Ubuntu

Description: Ubuntu 16.04.1 LTS

Release: 16.04

Codename: xenial

I have confirmed i have nginx running as follows:

root@instance-1:~# ps -ef | grep nginx

root 1473 1 0 Feb05 ? 00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;

www-data 4560 1473 0 Mar09 ? 00:00:09 nginx: worker process

www-data 4561 1473 0 Mar09 ? 00:00:00 nginx: worker process

root 28353 28318 0 03:07 pts/0 00:00:00 grep --color=auto nginx

Per these instructions https://certbot.eff.org/instructions?ws=nginx&os=ubuntuxenial (nginx, Ubuntu 16)

I ran:

root@instance-1:~# certbot --nginx

and got these results:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Please enter the domain name(s) you would like on your certificate (comma and/or

space separated) (Enter 'c' to cancel): www.dropintest.com

Renewing an existing certificate for www.dropintest.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:

Domain: www.dropintest.com

Type: unauthorized

Detail: Invalid response from http://www.dropintest.com/.well-known/acme-challenge/kiQtl_fedDE-wlP3R7bcQl2ettKjlvUbfFsj7_IX59E [141.8.225.75]: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Then I tried:

certbot certonly --nginx

and got:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Please enter the domain name(s) you would like on your certificate (comma and/or

space separated) (Enter 'c' to cancel): www.dropintest.com

Renewing an existing certificate for www.dropintest.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:

Domain: www.dropintest.com

Type: unauthorized

Detail: Invalid response from http://www.dropintest.com/.well-known/acme-challenge/e69r051lCVvw9Ym7f21dqM9GIgq5mBbqKYwYrh1GUmU [141.8.225.75]: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

root@instance-1:/etc/nginx/sites-available# netstat -pant | grep -i listen

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 17615/mysqld

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 32190/nginx -g daem

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1677/sshd

tcp6 0 0 127.0.0.1:8005 :::* LISTEN 32279/java

tcp6 0 0 :::8009 :::* LISTEN 32279/java

tcp6 0 0 :::8080 :::* LISTEN 32279/java

tcp6 0 0 :::80 :::* LISTEN 32190/nginx -g daem

tcp6 0 0 :::22 :::* LISTEN 1677/sshd

tcp6 0 0 :::8443 :::* LISTEN 32279/java

Bingo!
It's nginx on port 80.

Now I'd say try that (with: certbot --nginx), but you already have.
And since that failed, let's review the how/why of it.
By starting with:

• what transpired (between you and certbot) immediately upon executing "certbot --nginx" ?
• reviewing the output of: nginx -T

Late here.

Gonna crash.

I'll get this ASAP in the morning

Late here too...
Hope your only crash is into a bed - LOL

You should think about upgrading.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.