Trouble getting first certificate


#1

I am unsure what to do about the error below.
i.e. “The client lacks sufficient authorization :: Invalid response from http://siegfried.aps.uoguelph.ca/.well-known/acme-challenge/72nb…”

Any help would be appreciated.

I have just installed tomcat 8.5.37 on a new server centos 7.6
It is on port 80

My domain is: siegfried.aps.uoguelph.ca

I ran this command:

certbot certonly --webroot -w /opt/tomcat/webapps/ -d aps.uoguelph.ca -d siegfried.aps.uoguelph.ca

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aps.uoguelph.ca
http-01 challenge for siegfried.aps.uoguelph.ca
Using the webroot path /opt/tomcat/webapps for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. siegfried.aps.uoguelph.ca (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://siegfried.aps.uoguelph.ca/.well-known/acme-challenge/72nb-JroygKOD9kdUHHbIZ8qKVsH5gVuR5aDecNbC0I: “<!doctype html><html lang=“en”>HTTP Status 404 \u2013 Not Found<style type=“text/css”>h1 {font-family:Tahoma,A”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: siegfried.aps.uoguelph.ca
    Type: unauthorized
    Detail: Invalid response from
    http://siegfried.aps.uoguelph.ca/.well-known/acme-challenge/72nb-JroygKOD9kdUHHbIZ8qKVsH5gVuR5aDecNbC0I:
    “<!doctype html><html lang=“en”>HTTP Status 404 –
    Not Found<style type=“text/css”>h1 {font-family:Tahoma,A”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): tomcat 8.5.37

The operating system my web server runs on is (include version): centos 7.6

Yes I can login to a root shell on my machine and I have root access


#2

Is this the real webroot? I.e., if you’d put a file named testfile at /opt/tomcat/webapps/testfile, can you access it at http://siegfried.aps.uoguelph.ca/testfile?


#3

I put testfile in /opt/tomcat/webapps and it is not accessible
however
if I put it /opt/tomcat/webapps/examples
it is.
http://siegfried.aps.uoguelph.ca/examples/testfile

I guess I am not sure where the server webroot is?


#4

OK Now I found the root to maybe be “ROOT” and when I try this it times out saying “firewall problem”
see below
At my university we do have a perimiter firewall but it dows not block port 80

[root@siegfried webapps]# certbot certonly --webroot -w /opt/tomcat/webapps/ROOT/ -d aps.uoguelph.ca -d siegfried.aps.uoguelph.ca
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aps.uoguelph.ca
http-01 challenge for siegfried.aps.uoguelph.ca
Using the webroot path /opt/tomcat/webapps/ROOT for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. aps.uoguelph.ca (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://aps.uoguelph.ca/.well-known/acme-challenge/b50jihuMge42ibN2-ydnQ7SmtBi-oVk4i4UtpvRZ-Uo: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: aps.uoguelph.ca
    Type: connection
    Detail: Fetching
    http://aps.uoguelph.ca/.well-known/acme-challenge/b50jihuMge42ibN2-ydnQ7SmtBi-oVk4i4UtpvRZ-Uo:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#5

Update

I eliminated the -d aps.uoguelph.ca and it seems to have worked…
But I am still unsure if ROOT will be OK for subsequently installed tomcat webapps.

]# certbot certonly --webroot -w /opt/tomcat/webapps/ROOT/ -d siegfried.aps.uoguelph.ca
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for siegfried.aps.uoguelph.ca
Using the webroot path /opt/tomcat/webapps/ROOT for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/siegfried.aps.uoguelph.ca/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/siegfried.aps.uoguelph.ca/privkey.pem
    Your cert will expire on 2019-03-23. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#6

Hi @bszk,

aps.uoguelph.ca and siegfried.aps.uoguelph.ca are separate machines with separate IP addresses. At least with the --webroot method, Certbot will only get a certificate for the machine that you run it on (although it can get certificates for many domain names that point to that machine).

So, you would normally not be able to get a certificate for aps.uoguelph.ca with certbot --webroot unless you run on on that machine. (It’s also true that there needs to be an existing publicly-accessible web server running there that listens on port 80, in order to use the webroot method.)

Can you explain more about what you plan to do in the future that you’re unsure about?


#7

Thanks for the message.

It seems all is well now that I got the cert for “siegfried.aps.uoguelph.ca”

This is a test system for now and it will ultimately get a different IP address and dns name. This is so it can be used for existing production tomcat applications.

I wonder if I will need a new certificate when that happens? Probably in January.

Bill


#8

You won’t need a new certificate for a new IP address, but you’ll need a new one for the new DNS name.


#9

Thanks… Happy holidays!


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.