Renewal of certificate is failing on Tomcat


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://miniimagesvideos.com

I ran this command: certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/miniimagesvideos.com.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/miniimagesvideos.com/fullchain.pem (skipped)
No renewals were attempted.

My web server is (include version): apache-tomcat-9.0.5
The operating system my web server runs on is (include version): Debian GNU/Linux 9

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes i have installed as root user

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

Visit my site https://miniimagesvideos.com. From the browser i can see that the certificate will expire on 20th Sep Hence, need to urgently update the same

renew_before_expiry = 30 days

version = 0.10.2
archive_dir = /etc/letsencrypt/archive/miniimagesvideos.com
cert = /etc/letsencrypt/live/miniimagesvideos.com/cert.pem
privkey = /etc/letsencrypt/live/miniimagesvideos.com/privkey.pem
chain = /etc/letsencrypt/live/miniimagesvideos.com/chain.pem
fullchain = /etc/letsencrypt/live/miniimagesvideos.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 57b7daf7e525cfc2366e261e5d890c68
[[webroot_map]]
miniimagesvideos.com = /opt/apache-tomcat-9.0.5/webapps
www.miniimagesvideos.com = /opt/apache-tomcat-9.0.5/webapps


#2

Hi,

I see that you are using webroot as an authenticator, but does not specify an installer… which in your case means it has successfully requested a new certificate, but the certificate is not applied to your tomcat software automatically.

Please try to restart your tomcat service… which would reflect the renewed certificate.

You could always use certbot certificates to list a list of certificate you obtained from let’s encrypt via certbot & check the expiry date.

Thank you


#3

I already did a restart of the tomcat server. When i use command certbot certificates then i will get the below mentioned message. Here the expiry date is mentioned as 19th Nov, but on the site the certificate details says the certificate will expire on 20th Sep

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: miniimagesvideos.com
Domains: miniimagesvideos.com www.miniimagesvideos.com
Expiry Date: 2018-11-19 11:02:50+00:00 (VALID: 61 days)
Certificate Path: /etc/letsencrypt/live/miniimagesvideos.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/miniimagesvideos.com/privkey.pem


#4

Another important point: I had created original certificate on a different linux machine. However, i abandoned this machine and created a new machine using the image of previous machine

Is this an issue? If yes, then what will be the solution?


#5

Hi,

In this case, can you please check if the tomcat’s server configuration points all the certificates files to the (certbot) mentioned folder? (/etc/let’s encrypt/live/xxxxxxxx)

I don’t really think that’s going to be an issue. Since renewals and other things works. You might just have different certificate path than the one certbot default placed to…

Thank you


#6

Yes this is the directory in the tomcat server.xml
keystoreFile="/etc/letsencrypt/live/miniimagesvideos.com/bundle.pfx"


#7

Hi,

Let’s encrypt does not automatically generated pfx files… You’ll need to update the pfx file by yourself to include with the latest certificates…

Thank you


#8

Is there any command to update pfx files? I am not aware


#9

I have used the method at Using let's encrypt with tomcat to install certificates for tomcat. Not sure how to renew


#10

I have followed the following steps and it worked

  1. openssl pkcs12 -export -out bundle1.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:<>
  2. Went ahead and replaced bundle.pfx with bundle1.pfx

I will close this issue

Thanks you for providing all the response


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.