It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aps.uoguelph.ca
http-01 challenge for siegfried.aps.uoguelph.ca
Using the webroot path /opt/tomcat/webapps for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. siegfried.aps.uoguelph.ca (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://siegfried.aps.uoguelph.ca/.well-known/acme-challenge/72nb-JroygKOD9kdUHHbIZ8qKVsH5gVuR5aDecNbC0I: “<!doctype html><html lang=“en”>HTTP Status 404 \u2013 Not Found<style type=“text/css”>h1 {font-family:Tahoma,A”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): tomcat 8.5.37
The operating system my web server runs on is (include version): centos 7.6
Yes I can login to a root shell on my machine and I have root access
OK Now I found the root to maybe be “ROOT” and when I try this it times out saying “firewall problem”
see below
At my university we do have a perimiter firewall but it dows not block port 80
[root@siegfried webapps]# certbot certonly --webroot -w /opt/tomcat/webapps/ROOT/ -d aps.uoguelph.ca -d siegfried.aps.uoguelph.ca
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aps.uoguelph.ca
http-01 challenge for siegfried.aps.uoguelph.ca
Using the webroot path /opt/tomcat/webapps/ROOT for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. aps.uoguelph.ca (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://aps.uoguelph.ca/.well-known/acme-challenge/b50jihuMge42ibN2-ydnQ7SmtBi-oVk4i4UtpvRZ-Uo: Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I eliminated the -d aps.uoguelph.ca and it seems to have worked…
But I am still unsure if ROOT will be OK for subsequently installed tomcat webapps.
]# certbot certonly --webroot -w /opt/tomcat/webapps/ROOT/ -d siegfried.aps.uoguelph.ca
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for siegfried.aps.uoguelph.ca
Using the webroot path /opt/tomcat/webapps/ROOT for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/siegfried.aps.uoguelph.ca/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/siegfried.aps.uoguelph.ca/privkey.pem
Your cert will expire on 2019-03-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”
If you like Certbot, please consider supporting our work by:
aps.uoguelph.ca and siegfried.aps.uoguelph.ca are separate machines with separate IP addresses. At least with the --webroot method, Certbot will only get a certificate for the machine that you run it on (although it can get certificates for many domain names that point to that machine).
So, you would normally not be able to get a certificate for aps.uoguelph.ca with certbot --webroot unless you run on on that machine. (It's also true that there needs to be an existing publicly-accessible web server running there that listens on port 80, in order to use the webroot method.)
Can you explain more about what you plan to do in the future that you're unsure about?
It seems all is well now that I got the cert for “siegfried.aps.uoguelph.ca”
This is a test system for now and it will ultimately get a different IP address and dns name. This is so it can be used for existing production tomcat applications.
I wonder if I will need a new certificate when that happens? Probably in January.