Renewal of certificate is failing on Tomcat

shailenderjain · September 19, 2018, 3:59am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://miniimagesvideos.com

I ran this command: certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/miniimagesvideos.com.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/miniimagesvideos.com/fullchain.pem (skipped)
No renewals were attempted.

My web server is (include version): apache-tomcat-9.0.5
The operating system my web server runs on is (include version): Debian GNU/Linux 9

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes i have installed as root user

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

Visit my site https://miniimagesvideos.com. From the browser i can see that the certificate will expire on 20th Sep Hence, need to urgently update the same

renew_before_expiry = 30 days

version = 0.10.2
archive_dir = /etc/letsencrypt/archive/miniimagesvideos.com
cert = /etc/letsencrypt/live/miniimagesvideos.com/cert.pem
privkey = /etc/letsencrypt/live/miniimagesvideos.com/privkey.pem
chain = /etc/letsencrypt/live/miniimagesvideos.com/chain.pem
fullchain = /etc/letsencrypt/live/miniimagesvideos.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 57b7daf7e525cfc2366e261e5d890c68
[[webroot_map]]
miniimagesvideos.com = /opt/apache-tomcat-9.0.5/webapps
www.miniimagesvideos.com = /opt/apache-tomcat-9.0.5/webapps

stevenzhu · September 19, 2018, 4:19am

Hi,

I see that you are using webroot as an authenticator, but does not specify an installer… which in your case means it has successfully requested a new certificate, but the certificate is not applied to your tomcat software automatically.

Please try to restart your tomcat service… which would reflect the renewed certificate.

You could always use certbot certificates to list a list of certificate you obtained from let’s encrypt via certbot & check the expiry date.

Thank you

shailenderjain · September 19, 2018, 4:26am

I already did a restart of the tomcat server. When i use command certbot certificates then i will get the below mentioned message. Here the expiry date is mentioned as 19th Nov, but on the site the certificate details says the certificate will expire on 20th Sep

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: miniimagesvideos.com
Domains: miniimagesvideos.com www.miniimagesvideos.com
Expiry Date: 2018-11-19 11:02:50+00:00 (VALID: 61 days)
Certificate Path: /etc/letsencrypt/live/miniimagesvideos.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/miniimagesvideos.com/privkey.pem

shailenderjain · September 19, 2018, 4:30am

Another important point: I had created original certificate on a different linux machine. However, i abandoned this machine and created a new machine using the image of previous machine

Is this an issue? If yes, then what will be the solution?

stevenzhu · September 19, 2018, 4:31am

Hi,

In this case, can you please check if the tomcat's server configuration points all the certificates files to the (certbot) mentioned folder? (/etc/let's encrypt/live/xxxxxxxx)

I don't really think that's going to be an issue. Since renewals and other things works. You might just have different certificate path than the one certbot default placed to...

Thank you

shailenderjain · September 19, 2018, 5:02am

Yes this is the directory in the tomcat server.xml
keystoreFile="/etc/letsencrypt/live/miniimagesvideos.com/bundle.pfx"

stevenzhu · September 19, 2018, 5:03am

Hi,

Let’s encrypt does not automatically generated pfx files… You’ll need to update the pfx file by yourself to include with the latest certificates…

Thank you

shailenderjain · September 19, 2018, 5:19am

Is there any command to update pfx files? I am not aware

shailenderjain · September 19, 2018, 7:53am

I have used the method at Using let's encrypt with tomcat to install certificates for tomcat. Not sure how to renew

shailenderjain · September 19, 2018, 3:17pm

I have followed the following steps and it worked

openssl pkcs12 -export -out bundle1.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:<>
Went ahead and replaced bundle.pfx with bundle1.pfx

I will close this issue

Thanks you for providing all the response

system · October 19, 2018, 3:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Difficulty in renewing letsencrypt certificate Help	8	1125	June 25, 2020
Certbot renew failing to renew my certificates - SERVFAIL looking up A for my site Help	47	2472	November 1, 2020
Https is not working any more http is Help	24	1865	June 16, 2022
It ran out can't renew Help	4	639	January 1, 2021
Cert renewal for tomcat server Help	4	1048	August 5, 2020

Renewal of certificate is failing on Tomcat

Processing /etc/letsencrypt/renewal/miniimagesvideos.com.conf

renew_before_expiry = 30 days

Options used in the renewal process

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Related topics