I need to renew a cert but am only using Tomcat, not Apache. $ sudo certbot renew looks for the Apache httpd process so fails. I need an option where it doesn’t create more headaches by trying to be helpful and just renews the certs and spits out the PEM files to a directory so I can convert them to PKCS#12 and put them in a JKS for Tomcat.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for settings.lighthouse-monitoring.com
Cleaning up challenges
Problem binding to port 443: Could not bind to IPv4 or IPv6.
I’m not sure it actually generated anything, also why is it trying to bind to port 443?
If I can’t renew them can I recreate them from scratch for an existing domain? Do I have to wait for the current ones to expire first?
What this comes down to is that you need something to respond to the challenge request and prove you control the domain. It seems that at one point you did this with Apache, so the renew command tried to do that again, but Apache is no longer available. There’s no plugin for Tomcat specifically, so that tutorial suggested you use standalone. This is usually a last-resort, because it runs a standalone server to respond to the challenge request. In order to do so, you woeld need to use the --pre-hook and --post-hook flags to stop and start Tomcat before and after renewal. Hardly ideal.
You might want to consider using the webroot plugin. Are you able to serve text files from .well-known/acme-challenge directory? If so, you would use certbot certonly --webroot -w <web root path> -d <domain>. Note that web root path is the path for serving files from / on your web server. Certbot will place challenge files in subdirectories it creates, if necessary, under this path so that the challenge file is accessible from .well-known/acme-challenge.