SSL on Tomcat 10

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bjmanch.org

I ran this command:
sudo certbot certonly --standalone
It produced this output:
Fetching http://bjmanch.org/.well-known/acme-challenge/_yBvszRUOtBjVLSM4WBvI1ZAaFaP644X8w5rOjYOIa8: Timeout during connect (likely firewall problem)

My web server is (include version):
Tomee9.1.3
The operating system my web server runs on is (include version):
Debian 12
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
2.11.0

1 Like
2

Welcome @satinder

Generally you use --standalone only when you do not plan to run a webserver. But, it looks like you have Tomee. Can you reach that server from the public internet on any port?

Using --standalone requires Certbot to have exclusive use of port 80 which means stopping any service that normally uses it. If you want a webserver on that port to redirect people from HTTP to your HTTPS it is not best to stop it just for the cert request.

You should look at using certbot certonly --webroot -w (folder) option instead.

Because of the "timeout" error I think there is a firewall or comms config issue still to work out regardless of method. That error meant the Let's Encrypt Auth Server could not reach your domain using HTTP (port 80). To use your Tomee/Tomcat server for an HTTP challenge you will also have to reach it on port 80. But, that is easier to debug than standalone which only listens while it is running.

Let us know how you want to proceed if you want further help.

2 Likes
3

I see nginx on port 80:

curl -Ii http://bjmanch.org/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 200 OK
server: nginx/1.20.1       <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
date: Sun, 22 Sep 2024 23:33:27 GMT
content-type: text/html
content-length: 2873
last-modified: Mon, 09 Sep 2024 08:47:20 GMT
etag: "66deb618-b39"
accept-ranges: bytes
3 Likes
4

I guess this is progress from the "timeout" problems. In any case, that nginx server looks like the hosting company parking facility

@satinder I think you need to work with your hosting company to sort out your basic setup. Focus on getting HTTP requests to your domain and Tomcat working from the public internet.

curl -i http://bjmanch.org/.well-known/acme-challenge/Test404

HTTP/1.1 200 OK
server: nginx/1.20.1

<!DOCTYPE html>
<html lang="en">
<head>
...
  <title>Domain parking page</title>
...
</head>
<body>
...
<p>This domain name is parked for FREE by 
<strong><a href="`https://fasthosts.co.uk/`
3 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.