Unable to renew

H-Lo · July 10, 2020, 11:31pm

My domains are:
thevegcat.com & vegsh.com

I ran this command:
/opt/eff.org/certbot/venv/bin/certbot certonly --dry-run --standalone --preferred-challenges http -d vegsh.com -d www.vegsh.com -d custom.vegsh.com -d thevegcat.com -d www.thevegcat.com -d custom.thevegcat.com

It produced this output:
Challenge failed for domain custom.thevegcat.com
Challenge failed for domain custom.vegsh.com
Challenge failed for domain thevegcat.com
Challenge failed for domain vegsh.com
Challenge failed for domain www.thevegcat.com
Challenge failed for domain www.vegsh.com
Domain: custom.thevegcat.com
Type: unauthorized
Detail: Invalid response from
http://custom.thevegcat.com/.well-known/acme-challenge/-orpSNDAGKb0rGE-zF9Byqn42HjT2rtLyqcOHnsHLHE
[94.130.228.94]:
“{“timestamp”:“2020-07-10T23:12:24.450+00:00”,“status”:404,“error”:“Not
Found”,“message”:”",“path”:"/.well-known/acme-challenge/-"

Domain: custom.vegsh.com
Type: unauthorized
Detail: Invalid response from
http://custom.vegsh.com/.well-known/acme-challenge/ZK5V0wS1A1pvKijUEIj-bBv6TKx8N0Ize6F700ayvyg
[94.130.228.94]:
“{“timestamp”:“2020-07-10T23:12:24.751+00:00”,“status”:404,“error”:“Not
Found”,“message”:”",“path”:"/.well-known/acme-challenge/Z"

Domain: thevegcat.com
Type: unauthorized
Detail: Invalid response from
http://thevegcat.com/.well-known/acme-challenge/Sa0Q4hTuEJaxAyF3boYYIx2BUlIrjiSsaR6njFy6utA
[94.130.228.94]:
“{“timestamp”:“2020-07-10T23:12:24.605+00:00”,“status”:404,“error”:“Not
Found”,“message”:”",“path”:"/.well-known/acme-challenge/S"

Domain: vegsh.com
Type: unauthorized
Detail: Invalid response from
http://vegsh.com/.well-known/acme-challenge/Wu5zrFmtRpADlJTtw723uxTugM-5LOccYiErht5MyMA
[94.130.228.94]:
“{“timestamp”:“2020-07-10T23:12:24.781+00:00”,“status”:404,“error”:“Not
Found”,“message”:”",“path”:"/.well-known/acme-challenge/W"

Domain: www.thevegcat.com
Type: unauthorized
Detail: Invalid response from
http://www.thevegcat.com/.well-known/acme-challenge/VoVaLI9wE3nqowX6WauF5WmDz_fklLIUcC--xD03FeI
[94.130.228.94]:
“{“timestamp”:“2020-07-10T23:12:24.916+00:00”,“status”:404,“error”:“Not
Found”,“message”:”",“path”:"/.well-known/acme-challenge/V"

Domain: www.vegsh.com
Type: unauthorized
Detail: Invalid response from
http://www.vegsh.com/.well-known/acme-challenge/zIkij-oucS3H3iVdWW5e7v7GUKG12C9xXtYXrM7I_C4
[94.130.228.94]:
“{“timestamp”:“2020-07-10T23:12:25.071+00:00”,“status”:404,“error”:“Not
Found”,“message”:”",“path”:"/.well-known/acme-challenge/z"

My web server is (include version):
Apache Tomcat 9.0.34 + Java OpenJDK Runtime Environment (build 1.8.0_242-8u242-b08-0ubuntu3~18.04-b08)

The operating system my web server runs on is (include version):
Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is:
Hetzner Cloud server

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Tried with 0.31.0 only and not working (apt-get install).
Tried with 1.6.0 only and not working (certbo-auto install).
Now I have both versions and willing to delete all if needed.

$ certbot-auto --version
certbot 1.6.0

$ /opt/eff.org/certbot/venv/bin/certbot --version
certbot 1.6.0

$ certbot --version
certbot 0.31.0

Tried with Tomcat running - not working.
Tried with Tomcat stopped - not working.

Installed Tuckey URL-Rewriter to redirect http to https and added exception for “.well-known”.
But it doesn’t matter when Tomcat is down, right?

I’m checking ports with:
$ sudo ss -tln

When Tomcat is running:
LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* users:((“mysqld”,pid=5614,fd=30))
LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* users:((“systemd-resolve”,pid=22536,fd=13))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:((“sshd”,pid=1328,fd=3))
LISTEN 0 1 [::ffff:127.0.0.1]:8005 : users:((“java”,pid=6839,fd=82))
LISTEN 0 100 :8080 : users:((“java”,pid=6839,fd=62))
LISTEN 0 128 [::]:22 [::]: users:((“sshd”,pid=1328,fd=4))
LISTEN 0 100 *:8443 : users:((“java”,pid=6839,fd=68))

When Tomcat is stopped:
LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* users:((“mysqld”,pid=5614,fd=30))
LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* users:((“systemd-resolve”,pid=22536,fd=13))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:((“sshd”,pid=1328,fd=3))
LISTEN 0 128 [::]:22 [::]:* users:((“sshd”,pid=1328,fd=4))

More information:

$ telnet localhost 80
Trying 127.0.0.1…
telnet: Unable to connect to remote host: Connection refused

$ telnet localhost 443
Trying 127.0.0.1…
telnet: Unable to connect to remote host: Connection refused

$ telnet localhost 8080
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.

$ telnet localhost 8443
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.

Please help!
I have 19 days until expire and already spent 5 hours in trying to fix it.

Thanks!

_az · July 10, 2020, 11:34pm

It looks like you are probably using a PREROUTING rule to redirect port 8080 to 80.

In that case, your command should be something like (after stopping Tomcat):

/opt/eff.org/certbot/venv/bin/certbot certonly --dry-run --standalone \
--http-01-port 8080 -d vegsh.com -d www.vegsh.com -d custom.vegsh.com \
-d thevegcat.com -d www.thevegcat.com -d custom.thevegcat.com

H-Lo · July 10, 2020, 11:57pm

_az:

/opt/eff.org/certbot/venv/bin/certbot certonly --dry-run --standalone \
--http-01-port 8080 -d vegsh.com -d www.vegsh.com -d custom.vegsh.com \
-d thevegcat.com -d www.thevegcat.com -d custom.thevegcat.com

WOW! It's working. The saddest thing of all is that I did install Ubuntu, Tomcat and everything else and also did a configuration.

Is there a way to do it without stopping a service? I mean I've been reading for hours all possible documentation but still don't know is it possible with Tomcat.

_az · July 11, 2020, 12:01am

The best way is to use a standalone TLS reverse-proxy (like nginx, haproxy, Apache, Caddy, whatever), rather than configuring TLS directly in Tomcat.

Sounds like a lot of work but really it’s the only way to do it in production. I run a lot of Tomcat and Wildfly servers this way. Plus you don’t need to restart Tomcat every time you renew the certificate … just reload the proxy. Plus the actual issuing and renewal steps are waaaay easier … just certbot --nginx, for example.

H-Lo · July 11, 2020, 12:07am

Thanks! So that means nginx is the holder of the certificate, right? And proxying all other requests to Tomcat except “.well-known” similar to mod_jk with Apache? Sounds like something I could do as I did have some experience 10 years ago with Apache and Tomcat. But first I’ll try to find where did I hacked the port 80 as it’s not a Tomcat thing.

_az · July 11, 2020, 12:27am

Yeah. I haven’t used mod_jk in a long time, just normal HTTP proxying is good enough for me.

H-Lo · July 11, 2020, 3:24am

Thanks for help, thanks for the idea! It took few hours to learn about nginx and ssl, but now I have it

https:// thevegcat.com

HTTP/1.1 200
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 11 Jul 2020 03:22:19 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: JSESSIONID=F15E766C91F05CCFEB325FF119308AE7; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Content-Security-Policy: frame-ancestors https://veganopolis.net http://veganopolis.net https://vegcook.net
X-Content-Security-Policy: frame-ancestors https://veganopolis.net http://veganopolis.net https://vegcook.net
vary: accept-encoding
Content-Language: en

system · August 10, 2020, 3:24am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.