Problem with certbot/apache/tomcat

My domain is:deltapubblicitasrlshop.it

I ran this command: i created a redirect from port 8080 of tomcat to port 80 and 8433 to port 433 and created "deltapubblicitasrlshop.it.conf" in /etc/httpd/conf.d with this line of code :slight_smile:

<VirtualHost *:80>
ServerName deltapubblicitasrlshop.it
DocumentRoot /var/www/html
ServerAlias www.deltapubblicitasrlshop.it
ErrorLog /var/www/error.log
CustomLog /var/www/requests.log combined

The output of the error is:

"- The following errors were reported by the server:

Domain: www.deltapubblicitasrlshop.it
Type: unauthorized
Detail: Invalid response from
http://www.deltapubblicitasrlshop.it/.well-known/acme-challenge/a7HQ80I6JP3ZiOdlqlwHB-1aY8bUMd3GtzqbgdjfGDw
["there is server ip inthere"]: "Apache Tomcat/7.0.76 - Error
report<!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;bac"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
"

My web server is (include version):Server version: Apache/2.4.6 (CentOS)
Tomcat 7

The operating system my web server runs on is (include version):centos7

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.7.0

2 Likes

Welcome to the Let's Encrypt Community, Paolo :slightly_smiling_face:

There was a problem with your DNS in trying to access your CAA record, so Let's Encrypt cannot determine if it is authorized to issue a certificate for www.deltapubblicitasrlshop.it. This issue could be sporadic as it appears to me that you don't have a CAA record.

It also looks like www.deltapubblicitasrlshop.it is using a private IPv6 address (AAAA fe80::3a60:77ff:fea3:4854) and thus Let's Encrypt won't be able to reach it to verify your control of the domain. You will need to either change that address to a public IP address that reaches www.deltapubblicitasrlshop.it or remove it.

Were you meaning to forward 8443 to 443? Your https port (443) is not working at all. You could be really into bulk transfers of articles from one server to another via the Network News Transfer Protocol via port 433 (NNSP), but I doubt it. :wink:

2 Likes

You should remove the AAAA record from your domain name.

2 Likes

Also worth noting for future readers/helpers:
Topic title: Problem with certbot/apache/tomcat
[cerbot and tomcat don't always play well together]

2 Likes

Hi @IlRabbino

I don't understand your initial setup:

May be that doesn't work.

Why: There

answers your Tomcat.

Your Tomcat has a webroot. So find that webroot, there create the two subdirectories

yourWebroot/.well-known/acme-challenge

there a file (file name 1234), then try to load that file in your browser:

http://www.deltapubblicitasrlshop.it/.well-known/acme-challenge/1234

If that works, you have found your correct webroot. Then use that with --webroot, see

https://certbot.eff.org/docs/using.html

3 Likes

With redirect i mean that i add 2 rules on iptables that redirect connection from porto 80 to port 8080 and from port 443 to port 8443. Like this: "iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080"

1 Like

I've tried use "certbot certonly --webroot -w "my tomcat webroot" -d "my domain". But i get the same error

1 Like

Already done, but doesn't work. Keep getting the same error

1 Like

I am consistently getting a variety of DNS errors trying to look up records for deltapubblicitasrlshop.it and www.deltapubblicitasrlshop.it. Is there a problem with your DNS provider?

For deltapubblicitasrlshop.it...

For www.deltapubblicitasrlshop.it...

1 Like

I don't know, i will ask my provider if something is wrong. But the setup in theory have to be correct. I'll check

1 Like

Then your webroot is wrong or you have additional definitions.

Your validation file doesn't work.

1 Like

We're more than happy to help with your setup, but if Let's Encrypt is seeing anything like what Let's Debug is seeing, that's definitely the primary concern.

When I use https://toolbox.googleapps.com/apps/dig/ though, I'm getting records consistently.

Could you try running the following, just to see what happens?

sudo certbot certonly --cert-name deltapubblicitasrlshop.it --apache -d "deltapubblicitasrlshop.it,www.deltapubblicitasrlshop.it" --dry-run

This may not work, but it's worth a shot.

That's usually a good sign, unless you actually have a file named test in your webroot directory.

1 Like

If i run "sudo certbot certonly --cert-name deltapubblicitasrlshop.it --apache -d "deltapubblicitasrlshop.it,www.deltapubblicitasrlshop.it" --dry-run" i'll get the same error.

1 Like

No, i don't have a file called test in my webroot. In webroot i have only the folder of my project

1 Like

What is your actual webroot? /var/www/html ? Can you create a file in it named 1234 as @JuergenAuer suggested containing the phrase "Let's Encrypt"?

1 Like

I've created 1234.html with a

Let's encrypt

in /var/www/html/ and in /var/lib/tomcat/webapps/
1 Like

Thanks. :slightly_smiling_face: That's a start. We usually use extensionless files though to test. I'll still look though.

The DNSLookup problems can be related to reverse dns configuration?

1 Like

Please read my reply. File name 1234 is required, not 1234.html.

And

http://www.deltapubblicitasrlshop.it/.well-known/acme-challenge/1234.html

doesn't work, so that's not your webroot.

2 Likes

According to my research, your webroot may be:

/var/lib/tomcat7/webapps/

1 Like