I get always this error org.shredzone.acme4j.exception.AcmeServerException: Order's status ("invalid") is not acceptable for finalization at finalizeOrder. Certbot with same ports as standalone works fine and Spring Boot App delivers at port 80. Any suggestions?

Hi! This is a useful project, thanks!

Instructions/code on how to redirect http to https would be helpful especially given that this is for small pet projects. I've been able to apply it to my pet project and now I don't have this 301 https redirect. Googling gave me too many ways and it's interesting what would be the best way for spring-boot.

I'm testing on a server with an already existing certificate from letsencrypt. However, the sample program cannot be run. I am attaching the log.
``:: Spring Boot :: (v2.3.4.RELEASE)

2022-07-30 09:25:36.481 INFO 895693 --- [ main] example.SpringBootApp : Starting SpringBootApp on **** with PID 895693 (/home/alex/letsencrypt-helper-example-0.1.3-SNAPSHOT.jar started by root in /home/)
2022-07-30 09:25:36.490 INFO 895693 --- [ main] example.SpringBootApp : No active profile set, falling back to default profiles: default
2022-07-30 09:25:39.248 INFO 895693 --- [ main] lKnownLetsEncryptChallengeEndpointConfig : KeyStore exists: /etc/letsencrypt/live/*********/keystore.p12
2022-07-30 09:25:39.571 INFO 895693 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 443 (https) 80 (http)
2022-07-30 09:25:39.659 INFO 895693 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2022-07-30 09:25:39.660 INFO 895693 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.38]
2022-07-30 09:25:39.960 INFO 895693 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2022-07-30 09:25:39.964 INFO 895693 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 3338 ms
2022-07-30 09:25:40.556 WARN 895693 --- [ificate Watcher] lKnownLetsEncryptChallengeEndpointConfig : Please review carefully and accept TOS https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2022-07-30 09:25:40.608 WARN 895693 --- [ificate Watcher] lKnownLetsEncryptChallengeEndpointConfig : Failed updating KeyStore

java.lang.NullPointerException: null
at com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig.updateCertificateAndKeystore(TomcatWellKnownLetsEncryptChallengeEndpointConfig.java:395) ~[letsencrypt-helper-tomcat-0.2.4.jar!/:na]
at com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig.executeCheckCertValidityAndRotateIfNeeded(TomcatWellKnownLetsEncryptChallengeEndpointConfig.java:336) ~[letsencrypt-helper-tomcat-0.2.4.jar!/:na]
at com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig.letsEncryptCheckCertValidityAndRotateIfNeeded(TomcatWellKnownLetsEncryptChallengeEndpointConfig.java:308) ~[letsencrypt-helper-tomcat-0.2.4.jar!/:na]
at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]`
The library and its functionality is what I need. I would love to resolve any issues.

I am getting this message when trying with spring boot 3.0.4:

An attempt was made to call a method that does not exist. The attempt was made from the following location:

com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig.matchesCertFilePathAndPassword(TomcatWellKnownLetsEncryptChallengeEndpointConfig.java:252)

The following method did not exist:

'java.lang.String org.apache.tomcat.util.net.SSLHostConfig.getCertificateKeystoreFile()'

The calling method's class, com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig, was loaded from the following location:

jar:file:/app.jar!/BOOT-INF/lib/letsencrypt-helper-tomcat-0.2.5.jar!/com/github/valb3r/letsencrypthelper/tomcat/TomcatWellKnownLetsEncryptChallengeEndpointConfig.class

The called method's class, org.apache.tomcat.util.net.SSLHostConfig, is available from the following locations:

jar:file:/app.jar!/BOOT-INF/lib/tomcat-embed-core-10.1.5.jar!/org/apache/tomcat/util/net/SSLHostConfig.class

The called method's class hierarchy was loaded from the following locations:

org.apache.tomcat.util.net.SSLHostConfig: jar:file:/app.jar!/BOOT-INF/lib/tomcat-embed-core-10.1.5.jar!/

Add more clarity to logging. I.e. if key was not found in Keystore - log the message instead of NPE

First, how the key store is created?
Second, where to get the data for key-alias, key-store, key-store-password?

#tomcat #spring #server.ssl

Hi, thanks for the library. I am working with docker image and the readme is not enough to set it up for docker containers, as it gives errors all the time that connection is refused. Thanks in advance!

{
  "identifier": {
    "type": "dns",
    "value": "test.MYDOMAIN.com"
  },
  "status": "invalid",
  "expires": "2023-11-24T20:01:14Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "165.227.94.87: Fetching http://test.MYDOMAIN.com/.well-known/acme-challenge/pJ1AeqaCnxtWCqPZEqkRMTjNct9pCGho1QnrYeKQl0o: Connection refused",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/284808795676/Px-9Og",
      "token": "pJ1AeqaCnxtWCqPZEqkRMTjNct9pCGho1QnrYeKQl0o",
      "validationRecord": [
        {
          "url": "http://test.MYDOMAINcom/.well-known/acme-challenge/pJ1AeqaCnxtWCqPZEqkRMTjNct9pCGho1QnrYeKQl0o",
          "hostname": "test.MYDOMAINcom",
          "port": "80",
          "addressesResolved": [
            "165.227.94.87"
          ],
          "addressUsed": "165.227.94.87"
        }
      ],
      "validated": "2023-11-17T20:01:15Z"
    }
  ]
}

The issued certificate works great when using a browser, but it seems that some intermediate certificates are missing, this the certificate chain is not stored in the keystore. Could this be? I'm not that deeply familiar with the topic...
When checking against openssl, I retrieve these issues:

openssl s_client -connect www.example.com:443
CONNECTED(00000005)
depth=0 CN = www.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = www.example.com
   i:C = US, O = Let's Encrypt, CN = R3

• Hot reload for Spring based Jetty

I've been trying all day to try and get this working but I keep encountering the same issue. I've setup my application.properties file as below:

server.port=443
server.ssl.enabled=true
server.ssl.protocol=TLS
server.ssl.key-store=/path/to/custom/file.keystore
server.ssl.key-store-type=pkcs12
server.ssl.key-store-password=xxx
server.ssl.key-alias=name

lets-encrypt-helper.domain=xxx
lets-encrypt-helper.contact=xxx

When the application boots up it seems to get to:

    var sslConfig = Arrays.stream(protocol.findSslHostConfigs())
        .filter(it -> null != it.getCertificateKeystoreFile())
        .filter(it -> it.getCertificateKeystoreFile().contains(serverProperties.getSsl().getKeyStore()))
        .filter(it -> serverProperties.getSsl().getKeyStorePassword().equals(it.getCertificateKeystorePassword()))
        .findFirst()
        .orElse(null);

And this method chain always returns null. I added the class file to my project, added additional logging and rebuilt and by printing out the value of the SSL host configs I get:

Keystore file for _default_ (protocols TLSv1,TLSv1.3,TLSv1.2,SSLv2Hello,TLSv1.1) = null

Where _default_ is the SSL host config getHostName(). I've followed all the steps verbatim from the readme but I'm unable to work out how to fix this problem. Do you have any idea whether additional configuration is needed? I even generated a dummy certificate with the matching alias name but it still produces a null keystore file.

Edit

Worth noting that this is Spring Boot 4.7.2

Thanks

Due to some issues on LE side it is useful to be able to access LE accountID in unencrypted way for diagnostics (to prevent future issues):
Example issue as motivation (it does not affect this lib)

Hello,

Please immediately renew your TLS certificate(s) that were issued from
Let's Encrypt using the TLS-ALPN-01 validation method and the following
ACME registration (account) ID(s):

 111111111  22222222 

We've determined that an error made it possible for TLS-ALPN-01
challenges, completed before today, to not comply with certificate
issuance requirements. We have remediated this problem and will revoke
all unexpired certificates that used this validation method at 16:00 UTC
on 28 January 2022. Please renew your certificates now to ensure an
uninterrupted experience for your site visitors.

We apologize for any inconvenience this may cause. If you need support
in the renewal process, please comment on our forum post. Our staff and
community members are available to help:

ID 111111111 should be accessible for diagnostics

2023-08-03 12:26:16 [main] [ERROR] SpringApplication - Application run failed
java.lang.IllegalStateException: Failed to configure LetsEncrypt
at com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig.onApplicationEvent(TomcatWellKnownLetsEncryptChallengeEndpointConfig.java:218)
at com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig.onApplicationEvent(TomcatWellKnownLetsEncryptChallengeEndpointConfig.java:84)
at com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig$$SpringCGLIB$$0.onApplicationEvent()
at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:172)
at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:165)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:143)
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:437)
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:370)
at org.springframework.boot.context.event.EventPublishingRunListener.ready(EventPublishingRunListener.java:109)
at org.springframework.boot.SpringApplicationRunListeners.lambda$ready$6(SpringApplicationRunListeners.java:80)
at java.base/java.lang.Iterable.forEach(Unknown Source)
at org.springframework.boot.SpringApplicationRunListeners.doWithListeners(SpringApplicationRunListeners.java:118)
at org.springframework.boot.SpringApplicationRunListeners.doWithListeners(SpringApplicationRunListeners.java:112)
at org.springframework.boot.SpringApplicationRunListeners.ready(SpringApplicationRunListeners.java:80)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:330)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1305)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1294)

Hi, this lib will be upgraded to Spring Boot 3?

If code has redirect http to https. And allow only https protocol is that working on that case?