The Certificate Authority failed to download the temporary challenge files created by Certbot

Help
1

Hello,

My domain is: bstpoc.serviceconnect.defence.gov.au

I ran this command: certbot certonly and certbot certonly --webroot

It produced this output:
Input the webroot for bstpoc.serviceconnect.defence.gov.au: (Enter 'c' to
cancel): C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: bstpoc.serviceconnect.defence.gov.au
Type: dns
Detail: DNS problem: query timed out looking up A for bstpoc.serviceconnect.defence.gov.au; DNS problem: query timed out looking up AAAA for bstpoc.serviceconnect.defence.gov.au

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache Tomcat 9

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is:n/a

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0. Tried also 2.8.0

We have turned off local firewall, removed Network Security Group in Azure, disabled Group policies but no luck. No change was made recently. Website stopped working since yesterday. Status in azure showing: Backend server certificate expired. Checked certificate and it is valid till March 2024. DNS entry is correct.

If we use " " for Input the webroot for bstpoc.serviceconnect.defence.gov.au: (Enter 'c' to
cancel): "C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT" it says "C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT" does not exist or is not a
directory. Tried using this path below as well (screenshot attached) but no luck.

image
image895×286 40 KB

Kindly assist us in resolving the issue.

2

Hello @FM2023, welcome to the Let's Encrypt community. :slightly_smiling_face:

For

I would discourage the use of Certbot, see

1 Like
3

Hi,

Thank you for your response.

We will look into the link you have provided but for now we need to get our site up and running.

2 Likes
5

Your best bet to

Would be: To switch to another ACME client specifically written for Windows.
[Like: https://certifytheweb.com/]

Otherwise, you could walk through the process manually.
[if you have access to the DNS zone, that would be the quickest "manual" method]

1 Like
6

OR

You could look for the [renewed] cert that was issued on the third day of December 2023:

image
image896×83 17.1 KB

[that one is good through the second day of March 2024]

Perhaps all it needs is a service restart to pickup the newer cert.

2 Likes
7

Thank you for the prompt response.
We did check the cert that was renewed in December 2023 but unsure why status is showing Backend server certificate has expired. AppGW Listener has the right certificate. Also restarted the VM where Apache Tomcat is located.

1 Like
8

Using openssl I can connect to that domain and get the cert from Dec3

But, trying an actual HTTPS request gets an HTTP 502 error. Is this the error you see?

curl -i https://bstpoc.serviceconnect.defence.gov.au
HTTP/1.1 502 Bad Gateway
Server: Microsoft-Azure-Application-Gateway/v2

Also, the error in your cert request in first post clearly pointed to a DNS problem which is readily seen by other DNS testing sites

See
https://unboundtest.com/m/A/bstpoc.serviceconnect.defence.gov.au/GPQGFQXP
or
https://dnsviz.net/d/bstpoc.serviceconnect.defence.gov.au/dnssec/

3 Likes
9

Tomcat may require some extra step(s) for it to use the cert.
[depending on the version and how it has been configured]
I suspect that it may require the cert in a keystore file and that step hasn't been automated.
Whomever added the current cert to Tomcat should have notes on how that was done.

2 Likes
10

Maybe see this regarding Tomcat cert and chain

1 Like
11

Thank you for this info. We logged a ticket with DNS provider and they fixed the issue.

3 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.