[FIXED] Certbot error - type: unauthorized, throws 404. Tomcat 9 + Ubuntu 18.04

Issue

I am trying to set up SSL encryption on my Tomcat9 webapp with Let's Encrypt.

I have installed the certbot and now I am trying to use the following command:

sudo certbot certonly --webroot -w /opt/tomcat/webapps -d <redacted>.<redacted>.com

This returns the following error:

Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <redacted>.<redacted>.com
Using the webroot path /opt/tomcat/webapps for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. <redacted>.<redacted>.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient                                                              authorization :: Invalid response from http://<redacted>.<redacted>.com/.well-known/acme-challenge/powESSrI_zlg9nr4LDji5wqs4BjllfL7rooWYlfsI                                                             7I: "<!doctype html><html lang=\"en\"><head><title>HTTP Status 404 \u2013 Not Found</title><style type=\"text/css\">h1 {font-family:Tahoma,A"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: <redacted>.<redacted>.com
   Type:   unauthorized
   Detail: Invalid response from
   http://<redacted>.<redacted>.com/.well-known/acme-challenge/powESSrI_zlg9nr4LDji5wqs4BjllfL7rooWYlfsI7I:
   "<!doctype html><html lang=\"en\"><head><title>HTTP Status 404 –
   Not Found</title><style type=\"text/css\">h1 {font-family:Tahoma,A"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

To test that I haven't got issues, I have created a .well-known/acme-challenge/testing.txt file and successfully accessed it with curl.

I just checked the permissions and /opt/tomcat/webapps/ folder belongs to tomcat:tomcat, so I am unsure if the issue is in permissions. I have now chown'ed to root and will check as soon as the rate-limit will reset. I am very skeptical that this will be the solution, however.

I did review /var/log/letsencrypt/letsencrypt.log and it didn't seem to throw any issues during the creation of the .well-known folder. I have added an excerpt below, just in case.

2018-10-10 17:25:49,150:INFO:certbot.auth_handler:Performing the following challenges:
2018-10-10 17:25:49,151:INFO:certbot.auth_handler:http-01 challenge for <redacted>.<redacted>,com
2018-10-10 17:25:49,151:INFO:certbot.plugins.webroot:Using the webroot path /opt/tomcat/webapps for all unmatched domains.
2018-10-10 17:25:49,151:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /opt/tomcat/webapps/.well-known/acme-challenge
2018-10-10 17:25:49,154:DEBUG:certbot.plugins.webroot:Attempting to save validation to /opt/tomcat/webapps/.well-known/acme-challenge/26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs
2018-10-10 17:25:49,155:INFO:certbot.auth_handler:Waiting for verification...


2018-10-10 17:25:49,155:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "keyAuthorization": "26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs.ME_OY5WqxTYCKhCOPRnWxkWCKD7ThYqX1E18W8YCLfQ",\n  "type": "http-01"\n}'
2018-10-10 17:25:49,157:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996040:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDM2MjM1OTciLCAibm9uY2UiOiAibVN2LUdaOGlRLXlEYkVwZ2E0RUlCX0VtNWxiZ01MMUVlbWhEWm5ZeGVVWSIsICJ1cm$
  "signature": "TyjDjNvL294YTVe6O9eQzgCRBfVuZQV5wcZJgRpSIuUAfXN7N-_A8XSv-yLI-smmZxQSug5ZPidfqwN4nQwguye9WfBMdpEEFKpky5HwD9Pb83r0XOCkBm5nGQnXxTuEeIb22j4wXwVJW1oY769UWLp9wnSkFGopIIzhvN9GGIKzzLhugK1LPgMgkJK0G3$
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIjI2ZkZHVlZYWHhkcGVPcV9FOGhhX3JmWGlfTE1fNWo2WjRldDJQTnAyZ3MuTUVfT1k1V3F4VFlDS2hDT1BSbld4a1dDS0Q3VGhZcVgxRTE4VzhZQ0xmUSIsCiAg$
}
2018-10-10 17:25:49,360:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996040 HTTP/1.1" 200 223
2018-10-10 17:25:49,361:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 223
Boulder-Requester: 43623597
Link: <https://acme-v02.api.letsencrypt.org/acme/authz/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996040
Replay-Nonce: MPjDFzJp80MvZiwxnBunswO7KnQDESpZ89YSoF7Dyeo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 10 Oct 2018 17:25:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 10 Oct 2018 17:25:49 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",

  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996040",
  "token": "26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs"
}
2018-10-10 17:25:49,361:DEBUG:acme.client:Storing nonce: MPjDFzJp80MvZiwxnBunswO7KnQDESpZ89YSoF7Dyeo
2018-10-10 17:25:52,365:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU.
2018-10-10 17:25:52,560:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU HTTP/1.1" 200 1772
2018-10-10 17:25:52,561:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1772
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 10 Oct 2018 17:25:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 10 Oct 2018 17:25:52 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "<redacted>.<redacted>,com"
  },
  "status": "invalid",
  "expires": "2018-10-17T17:25:48Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://<redacted>.<redacted>,com/.well-known/acme-challenge/26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs: \"\u003c!doctype html\u003e\u003chtml lang=\\\"en\\\"\$
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996040",
      "token": "26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs",
      "validationRecord": [
        {
          "url": "http://<redacted>.<redacted>,com/.well-known/acme-challenge/26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs",
          "hostname": "<redacted>.<redacted>,com",
          "port": "80",
          "addressesResolved": [
            "<redacted>"
          ],
          "addressUsed": "<redacted>"
        }
      ]
    },
    {
      "type": "dns-01",



      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://<redacted>.<redacted>,com/.well-known/acme-challenge/26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs: \"\u003c!doctype html\u003e\u003chtml lang=\\\"en\\\"\$
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996040",
      "token": "26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs",
      "validationRecord": [
        {
          "url": "http://<redacted>.<redacted>,com/.well-known/acme-challenge/26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs",
          "hostname": "<redacted>.<redacted>,com",
          "port": "80",
          "addressesResolved": [
            "<redacted>"
          ],
          "addressUsed": "<redacted>"
        }
      ]
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996041",
      "token": "Spw_JOZoMRrFUsprklfbEsvndZElESITmGETwEjoDqs"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996042",
      "token": "isqG0IfT0WxC2FIl24XlZ18E8j0wadfJejZEYgMRGfk"
    }
  ]
}
2018-10-10 17:25:52,562:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: <redacted>.<redacted>,com
Type:   unauthorized
Detail: Invalid response from http://<redacted>.<redacted>,com/.well-known/acme-challenge/26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs: "<!doctype html><html lang=\"en\"><head><title>HTTP Status 404 – $

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2018-10-10 17:25:52,562:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. <redacted>.<redacted>,com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid re$

Solution

The issue was in permissions for tomcat/webapp folder , as soon as permissions were granted to root the folder and respective file were created and authenticated by letsencrypt.

Answered By - Kyan