YACBARI: Yet Another CertBot Auto Renew Issue

Hi I’m trying to auto-renew and it seems like only one of my entries was renewed (.www). I checked on Amazon route 53 for my DNS entry and it all looks correct

My domain is:
Hemaconhealth.com

I ran this command:
certbot-auto renew -i apache -a webroot -w /opt/server/tomcat8/webapps/

It produced this output:
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hemaconhealth.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
Tomcat 8.0.36

The operating system my web server runs on is (include version):
4.9.32-15.41.amzn1.x86_64

My hosting provider, if applicable, is:
Amazon

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.5.0

1 Like

Hi @fobinator,

If you create a file /opt/server/tomcat8/webapps/test.txt, can you see its contents at http://hemaconhealth.com/test.txt? If you create a file /opt/server/tomcat8/webapps/.well-known/acme-challenge/test2.txt, can you see it at http://hemaconhealth.com/.well-known/acme-challenge/test.txt?

If not, the path /opt/server/tomcat8/webapps that you specified with -w isn’t currently correct for this purpose.

2 Likes

(Also, Certbot remembers all of these options for you from when you originally got the certificate. In most cases, it should be enough just to run certbot renew and have Certbot use the remembered options, instead of re-specifying them.)

2 Likes

webapps/ is not typically the document root (unless you have specifically configured it that way in one of the server XMLs).

It might be webapps/ROOT/ or something else, if this is a Tomcat bundle from some software vendor.

1 Like

Hello thank you both for the replies. I initally just ran certbot-auto renew but I had failures from both www.hemaconhealth.com and hemaconhealth.com. I don’t know what happened but the www.hemaconhealth.com got renewed but not the other one.

@schoen I tried creating those files in that path but I can’t reach it either, yet that’s the path my webapps are setup at.

@_az I tried specifying /ROOT both on the command line and also the .conf file (the www had /ROOT)

Is there anything else I can try?

1 Like

Where does favicon.ico sit?

find /opt/server/tomcat8/ -name favicon.ico -exec sha256sum {} +
1 Like

@_az it’s under ROOT
64a3170a912786e9eece7e347b58f36471cb9d0bc790697b216c61050e6b1f08 /opt/server/tomcat8/webapps/ROOT/favicon.ico

and I was able to create a file under root and get the contents when I hit that url

if I fixed the webroot_path = /opt/server/tomcat8/webapps/ROOT, under /etc/letsencrypt/renewal, what else could be wrong?

1 Like

Is the error still a 404? Or something else like failed validations limit?

What if you run this exact command:

certbot-auto renew --webroot -w /opt/server/tomcat8/webapps/ROOT --dry-run
1 Like

certbot-auto renew --webroot -w /opt/server/tomcat8/webapps/ROOT --dry-run
Requesting to rerun /usr/local/bin/certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/hemaconhealth.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hemaconhealth.com
http-01 challenge for www.hemaconhealth.com
Using the webroot path /opt/server/tomcat8/webapps/ROOT for all unmatched domains.
Waiting for verification…
Challenge failed for domain hemaconhealth.com
Challenge failed for domain www.hemaconhealth.com
http-01 challenge for hemaconhealth.com
http-01 challenge for www.hemaconhealth.com
Cleaning up challenges
Attempting to renew cert (hemaconhealth.com) from /etc/letsencrypt/renewal/hemaconhealth.com.conf produced an unexpected error: Some challenges have failed… Skipping.


Processing /etc/letsencrypt/renewal/www.hemaconhealth.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.hemaconhealth.com
Using the webroot path /opt/server/tomcat8/webapps/ROOT for all unmatched domains.
Waiting for verification…
Challenge failed for domain www.hemaconhealth.com
http-01 challenge for www.hemaconhealth.com
Cleaning up challenges
Attempting to renew cert (www.hemaconhealth.com) from /etc/letsencrypt/renewal/www.hemaconhealth.com.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hemaconhealth.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.hemaconhealth.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hemaconhealth.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.hemaconhealth.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

It’s not making sense to me yet :frowning: . I tried a fresh Tomcat 8 install and it’s fine.

There’s no webroot_map in your renewal config files, is there? Could you paste both in their entirety?

@_az I really appreciate you taking the time to help!

renew_before_expiry = 30 days

version = 1.5.0
archive_dir = /etc/letsencrypt/archive/www.hemaconhealth.com
cert = /etc/letsencrypt/live/www.hemaconhealth.com/cert.pem
privkey = /etc/letsencrypt/live/www.hemaconhealth.com/privkey.pem
chain = /etc/letsencrypt/live/www.hemaconhealth.com/chain.pem
fullchain = /etc/letsencrypt/live/www.hemaconhealth.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
account = 590728d2db6ce6ea6b090c2c900469a3
webroot_path = /opt/server/tomcat8/webapps/ROOT,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
www.hemaconhealth.com = /opt/server/tomcat8/webapps/ROOT

renew_before_expiry = 30 days

version = 1.3.0
archive_dir = /etc/letsencrypt/archive/hemaconhealth.com
cert = /etc/letsencrypt/live/hemaconhealth.com/cert.pem
privkey = /etc/letsencrypt/live/hemaconhealth.com/privkey.pem
chain = /etc/letsencrypt/live/hemaconhealth.com/chain.pem
fullchain = /etc/letsencrypt/live/hemaconhealth.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
account = 590728d2db6ce6ea6b090c2c900469a3
webroot_path = /opt/server/tomcat8/webapps/ROOT,
server = https://acme-v02.api.letsencrypt.org/directory
http01_port = 8080
[[webroot_map]]
hemaconhealth.com = /opt/server/tomcat8/webapps/ROOT

Not sure why my versions are different, let me change that… (did not help)

OK, my last attempt before I give up on this one:

mkdir -p /opt/server/tomcat8/webapps/ROOT/{.well-known,well-known}/acme-challenge/
echo 1 > /opt/server/tomcat8/webapps/ROOT/.well-known/acme-challenge/1
echo 2 > /opt/server/tomcat8/webapps/ROOT/well-known/acme-challenge/2
echo 3 > /opt/server/tomcat8/webapps/ROOT/3

I can only hit the 3 or well-known, not under .well-known

Oops, I had a typo on the 3rd line. Sorry. Still, that is bizarre.

Last workaround I can suggest is to open up conf/server.xml, find the <Host> element, add inside it:

<Context path="/.well-known/acme-challenge/" docBase="/opt/server/tomcat8/webapps/ROOT/.well-known/acme-challenge/" />

and restart Tomcat. See if you can access the files then.

1 Like

That worked! And I was able to renew my certs using the command. Does it take a while to propagate the cert? Still seeing Not Secure when I hit my site

1 Like

No, it should be instant. Either Apache has not reloaded, or Apache is pointing to the wrong certificate file.

Hmm, is this the correct configuration?

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/etc/letsencrypt/live/hemaconhealth.com/bundle.pfx" keystorePass="apassword"
           clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>
1 Like

Oh oops, for some reason I thought you were running Apache httpd for SSL termination. Turns out you are not.

In this case, that bundle.pfx is not automatically generated by Certbot. You probably created it by hand last time. You can create it by running something like:

openssl pkcs12 -export -out /etc/letsencrypt/live/hemaconhealth.com/bundle.pfx -inkey /etc/letsencrypt/live/hemaconhealth.com/privkey.pem -in /etc/letsencrypt/live/hemaconhealth.com/cert.pem -certfile /etc/letsencrypt/live/hemaconhealth.com/chain.pem -password pass:apassword
1 Like

Yeah it’s been a while since I created it so I think I’ve been doing the wrong thing this whole time. Thanks for the help!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.