Staging URL in Tomcat WebApp is returning Session Metadata null

npavar · June 1, 2021, 7:59am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I am testing with LetsEncrypt with acme4j client , in my tomcat webapp whose the IP is internal .
I ran this command:
i am using org.shredzone.acme4j package in Java program to create session like this below.
Session session = new Session("https://acme-staging-v02.api.letsencrypt.org/directory");
It produced this output:
Session MetaData null.
My web server is (include version):
apache-tomcat-9.0.41
The operating system my web server runs on is (include version):
Red Hat Enterprise Linux release 8.2 (Ootpa)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
acme4j-utils-2.11.jar acme4j-client-2.11.jar

webprofusion · June 1, 2021, 8:06am

I think your machine is failing to make the https request to https://acme-staging-v02.api.letsencrypt.org/directory

I'm pretty sure "Metadata null" means it can't get the directory info acme4j/Session.java at master · shred/acme4j · GitHub

npavar · June 1, 2021, 12:18pm

Though i can access the URL via browser, but not from tomcat WebApp. Does any certs need to be placed in RHEL/Tomcat Trust Store ?.

webprofusion · June 2, 2021, 3:13am

Sorry I don't know that much about Tomcat, I presume the browser you are using is on your (Windows?) desktop and not Redhat. Try using curl https://acme-staging-v02.api.letsencrypt.org/directory on the linux server to see if you can fetch from the Let's Encrypt API, if not then that would be the problem. If outgoing https requires a proxy then you'd have to tell acme4j that.

I presume you are trying to write an app which automatically maintains it's own certificate rather than just using Certbot or some other linux ACME client?

npavar · June 2, 2021, 4:49am

Thank you for responding.I am using Redhat OS . I can access the Staging URL in browser in Redhat , but not in java client with linux ACME4j.jar client (org.shredzone.acme4j). With this client , i am trying to register the account and accept Terms of Service and getting metadata null using below call
Session session = new Session("https://acme-staging-v02.api.letsencrypt.org/directory");

webprofusion · June 3, 2021, 3:37am

I notice their example code doesn't use the real API url at all and instead it seems to want you to use
Session session = new Session("acme://letsencrypt.org/staging");

https://shredzone.org/maven/acme4j/example.html#the-main-workflow

shred · June 10, 2021, 10:30am

Actually Session.getMetadata() never returns null, even if there is no metadata in the directory resource. There must be another reason for it. However it is hard to find the cause without looking at the source code.

You can enable debug logging by setting slf4j's log level of org.shredzone.acme4j to DEBUG. acme4j will then also log the full client/server communication. It should give a good hint about the cause of the problem.

BTW, for new Session() you can use both the https:// and acme:// style URI. However acme: URIs should be preferred.

npavar · June 16, 2021, 5:13am

Thanks for the responses.
I figured out the problem to be with firewall issue. I had added proxy to session to get through the creation process. But now ended up with this error while HTTPS validation.

Challenge has failed, reason: DNS problem: NXDOMAIN looking up A for <<myhost.domain.com>> check that a DNS record exists for this domain.

I am trying to get cert downloaded for my application in VM , which is not in public domain, i get above error.
How do we use LetsEncrypt for Private IP's for testing purpose .

Osiris · June 16, 2021, 5:49am

There you have your issue: Let's Encrypt is a public CA and therefore can only issue certificates for public domains.

npavar · June 16, 2021, 6:25am

I need to do this on my test server for this lets-encrypt solution feasibility. Can you please suggest any alternatives here ?.

webprofusion · June 16, 2021, 8:06am

The cert is for the domain (e.g. dev-01.yourdomain.com), not the IP. If you have access to administer the DNS for your domain you can use DNS validation instead of http validation. If you don't then you need to use http validation, so you can only get certificates for publicly visible servers.

Osiris · June 16, 2021, 10:45am

You could perhaps use Pebble, a miniature version of the ACME server software used by Let's Encrypt (Boulder), for testing purposes only.