Renewal won't work! Need help in locating the problem

My domain is:

I ran this command: certbot-auto renew --standalone

It produced this output:

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Connection refused, (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

Running post-hook command: sh /root/update_ssl
1 renew failure(s), 0 parse failure(s)


My web server is (include version): Apache Tomcat 8

The operating system my web server runs on is (include version): CentOS 6

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I need to figure out what has changed since the last time(s) I’ve run this.

I do stop Tomcat prior to running certbot-auto (so no one blocking the ports, checked this with netstat). ‘dig A’ shows the correct IP-adress for the server. What else can I check?

Running with “dry-run” produces the same error…

Thankful for all help I can get!


Could you please check if there’s any firewall in place for port 80 / 443?

Thank you

Please show how it was issued previously:

Hi @spinemelter

now you have another error (checked via )

Then not existing file under /.well-known/acme-challenge redirects to your main page.

That can't work.

The redirect http -> https is ok. But fetching a file like

should generate a http status 404 - not found. Not a redirect to /.

Hmm… but right now (when Tomcat is running), it’s a “protected site”, so if you’re not logged in, you are prompted with the login page, and hence shouldn’t be allowed to access a page direct w/o login. This redirect shouldn’t be happening when not running, right? Or are you suggesting that I need to let this path (.well-know/acme-challenge…) be open in Tomcat too?

And if I login first, then try to access this page, I get a 404.

This is the context of my file:

renew_before_expiry = 30 days

version = 0.27.1

archive_dir = /etc/letsencrypt/archive/

cert = /etc/letsencrypt/live/

privkey = /etc/letsencrypt/live/

chain = /etc/letsencrypt/live/

fullchain = /etc/letsencrypt/live/

Options used in the renewal process


authenticator = standalone

account = 5952c3792718fad6e4e1a386cbda1b85

post_hook = sh /root/update_ssl

server =

Letsencrypt checks such a file:

and has no login.

How does this work?
Isn't there a running web service on port 80 right now?

Ok.. being a bit of newbie here... If I stop Tomcat, that will stop the web app running, which has the actual protected stuff. How can certbot-auto see that protection?? It's not set up via the default apache conf or something like that, but within a web.xml whitin a .war (so not even Tomcats standard web.xml). Not saying you're wrong, just saying I cannot understand how certbot can set up the same "authentication protected" site.

Yes, but since I don't run a web server that has a plugin, I stop tomcat and run certbot as a standalone (which has worked without problem the last year)

That seems rather unnecessary.
Have you tried using --webroot ?
Or maybe even DNS authentication...

If you have a running webserver, you should use this server to validate your domain.

Not a --standalone, which stops your running server. So webroot

certbot run -a webroot -i apache -w /var/www/html -d

should be your option.

Ok.. this presents a couple of questions.

  1. Tomcat is not Apache, so there is no "static web root" (aka. /var/www/html), so where should I point the -w switch? To the webapps/ or work/ dir? Or conf/Catalina/localhost..?
  2. Looking at the certbot-auto site, the "only" way for me, using Tomcat on CentOS 6, is with standalone... but this is not true, then?

Ok, I've opened up (on my local computer) so you get a "404" when trying to access the .well-known... (instead of a redirect to "/"), so I'm going to test it out later on my server. I'll get back with more info! :slight_smile:

Each virtual host should have a document root.
Webroot needs to point there.
And the auth folder would be:
{document root}/.well-known/acme-challenge/

@JuergenAuer and @rg305

Thank you so very much for your help, and not giving up, even though I was being a bit… thick… :slight_smile:

So, opened up the /.well-known/… in my web app, then (w/o stopping Tomcat) I ran (as suggested)

certbot-auto renew -a webroot -w /usr/local/tomcat8.0.35/webapps/ROOT

And - Ta-da! - I now have a renewed cert! Again, Thank you, thank you!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.