I ran this command: certbot-auto renew --standalone
It produced this output:
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for manalyze.net
http-01 challenge for www.manalyze.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (manalyze.net) from /etc/letsencrypt/renewal/manalyze.net.conf produced an unexpected error: Failed authorization procedure. manalyze.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://manalyze.net/.well-known/acme-challenge/iIbaFb0YYqi7g8qCMszKYjV40tPqL9vPo7WWNDnfsVE: Connection refused, www.manalyze.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.manalyze.net/.well-known/acme-challenge/el_KdVzylHKx5ci6_xCXdCCBX4z0z5BgHS8FuXorP3s: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/manalyze.net/fullchain.pem (failure)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/manalyze.net/fullchain.pem (failure)
My web server is (include version): Apache Tomcat 8
The operating system my web server runs on is (include version): CentOS 6
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
I need to figure out what has changed since the last time(s) I’ve run this.
I do stop Tomcat prior to running certbot-auto (so no one blocking the ports, checked this with netstat). ‘dig A manalyze.net’ shows the correct IP-adress for the server. What else can I check?
Hmm… but right now (when Tomcat is running), it’s a “protected site”, so if you’re not logged in, you are prompted with the login page, and hence shouldn’t be allowed to access a page direct w/o login. This redirect shouldn’t be happening when not running, right? Or are you suggesting that I need to let this path (.well-know/acme-challenge…) be open in Tomcat too?
Ok.. being a bit of newbie here... If I stop Tomcat, that will stop the web app running, which has the actual protected stuff. How can certbot-auto see that protection?? It's not set up via the default apache conf or something like that, but within a web.xml whitin a .war (so not even Tomcats standard web.xml). Not saying you're wrong, just saying I cannot understand how certbot can set up the same "authentication protected" site.
Yes, but since I don't run a web server that has a plugin, I stop tomcat and run certbot as a standalone (which has worked without problem the last year)
Tomcat is not Apache, so there is no "static web root" (aka. /var/www/html), so where should I point the -w switch? To the webapps/ or work/ dir? Or conf/Catalina/localhost..?
Looking at the certbot-auto site, the "only" way for me, using Tomcat on CentOS 6, is with standalone... but this is not true, then?
Ok, I've opened up (on my local computer) so you get a "404" when trying to access the .well-known... (instead of a redirect to "/"), so I'm going to test it out later on my server. I'll get back with more info!
