I get always this error org.shredzone.acme4j.exception.AcmeServerException: Order's status ("invalid") is not acceptable for finalization at finalizeOrder. Certbot with same ports as standalone works fine and Spring Boot App delivers at port 80. Any suggestions?

I've been trying all day to try and get this working but I keep encountering the same issue. I've setup my application.properties file as below:

server.port=443
server.ssl.enabled=true
server.ssl.protocol=TLS
server.ssl.key-store=/path/to/custom/file.keystore
server.ssl.key-store-type=pkcs12
server.ssl.key-store-password=xxx
server.ssl.key-alias=name

lets-encrypt-helper.domain=xxx
lets-encrypt-helper.contact=xxx

When the application boots up it seems to get to:

    var sslConfig = Arrays.stream(protocol.findSslHostConfigs())
        .filter(it -> null != it.getCertificateKeystoreFile())
        .filter(it -> it.getCertificateKeystoreFile().contains(serverProperties.getSsl().getKeyStore()))
        .filter(it -> serverProperties.getSsl().getKeyStorePassword().equals(it.getCertificateKeystorePassword()))
        .findFirst()
        .orElse(null);

And this method chain always returns null. I added the class file to my project, added additional logging and rebuilt and by printing out the value of the SSL host configs I get:

Keystore file for _default_ (protocols TLSv1,TLSv1.3,TLSv1.2,SSLv2Hello,TLSv1.1) = null

Where _default_ is the SSL host config getHostName(). I've followed all the steps verbatim from the readme but I'm unable to work out how to fix this problem. Do you have any idea whether additional configuration is needed? I even generated a dummy certificate with the matching alias name but it still produces a null keystore file.

Edit

Worth noting that this is Spring Boot 4.7.2

Thanks

The issued certificate works great when using a browser, but it seems that some intermediate certificates are missing, this the certificate chain is not stored in the keystore. Could this be? I'm not that deeply familiar with the topic... When checking against openssl, I retrieve these issues:

openssl s_client -connect www.example.com:443
CONNECTED(00000005)
depth=0 CN = www.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = www.example.com
   i:C = US, O = Let's Encrypt, CN = R3

java.lang.NullPointerException: Cannot invoke "java.security.KeyStore$PrivateKeyEntry.getCertificate()" because "accountKeyEntry" is null
	at com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig.updateCertificateAndKeystore(TomcatWellKnownLetsEncryptChallengeEndpointConfig.java:395) ~[letsencrypt-helper-tomcat-0.2.4.jar:na]
	at com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig.executeCheckCertValidityAndRotateIfNeeded(TomcatWellKnownLetsEncryptChallengeEndpointConfig.java:336) ~[letsencrypt-helper-tomcat-0.2.4.jar:na]
	at com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig.letsEncryptCheckCertValidityAndRotateIfNeeded(TomcatWellKnownLetsEncryptChallengeEndpointConfig.java:308) ~[letsencrypt-helper-tomcat-0.2.4.jar:na]
	at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]

I'm testing on a server with an already existing certificate from letsencrypt. However, the sample program cannot be run. I am attaching the log. ``:: Spring Boot :: (v2.3.4.RELEASE)

2022-07-30 09:25:36.481 INFO 895693 --- [ main] example.SpringBootApp : Starting SpringBootApp on **** with PID 895693 (/home/alex/letsencrypt-helper-example-0.1.3-SNAPSHOT.jar started by root in /home/***) 2022-07-30 09:25:36.490 INFO 895693 --- [ main] example.SpringBootApp : No active profile set, falling back to default profiles: default 2022-07-30 09:25:39.248 INFO 895693 --- [ main] lKnownLetsEncryptChallengeEndpointConfig : KeyStore exists: /etc/letsencrypt/live/************/keystore.p12 2022-07-30 09:25:39.571 INFO 895693 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 443 (https) 80 (http) 2022-07-30 09:25:39.659 INFO 895693 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat] 2022-07-30 09:25:39.660 INFO 895693 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.38] 2022-07-30 09:25:39.960 INFO 895693 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext 2022-07-30 09:25:39.964 INFO 895693 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 3338 ms 2022-07-30 09:25:40.556 WARN 895693 --- [ificate Watcher] lKnownLetsEncryptChallengeEndpointConfig : Please review carefully and accept TOS https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf 2022-07-30 09:25:40.608 WARN 895693 --- [ificate Watcher] lKnownLetsEncryptChallengeEndpointConfig : Failed updating KeyStore

java.lang.NullPointerException: null at com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig.updateCertificateAndKeystore(TomcatWellKnownLetsEncryptChallengeEndpointConfig.java:395) ~[letsencrypt-helper-tomcat-0.2.4.jar!/:na] at com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig.executeCheckCertValidityAndRotateIfNeeded(TomcatWellKnownLetsEncryptChallengeEndpointConfig.java:336) ~[letsencrypt-helper-tomcat-0.2.4.jar!/:na] at com.github.valb3r.letsencrypthelper.tomcat.TomcatWellKnownLetsEncryptChallengeEndpointConfig.letsEncryptCheckCertValidityAndRotateIfNeeded(TomcatWellKnownLetsEncryptChallengeEndpointConfig.java:308) ~[letsencrypt-helper-tomcat-0.2.4.jar!/:na] at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]` The library and its functionality is what I need. I would love to resolve any issues.

Hi! This is a useful project, thanks!

Instructions/code on how to redirect http to https would be helpful especially given that this is for small pet projects. I've been able to apply it to my pet project and now I don't have this 301 https redirect. Googling gave me too many ways and it's interesting what would be the best way for spring-boot.

Due to some issues on LE side it is useful to be able to access LE accountID in unencrypted way for diagnostics (to prevent future issues): Example issue as motivation (it does not affect this lib)

Hello,

Please immediately renew your TLS certificate(s) that were issued from
Let's Encrypt using the TLS-ALPN-01 validation method and the following
ACME registration (account) ID(s):

 111111111  22222222 

We've determined that an error made it possible for TLS-ALPN-01
challenges, completed before today, to not comply with certificate
issuance requirements. We have remediated this problem and will revoke
all unexpired certificates that used this validation method at 16:00 UTC
on 28 January 2022. Please renew your certificates now to ensure an
uninterrupted experience for your site visitors.

We apologize for any inconvenience this may cause. If you need support
in the renewal process, please comment on our forum post. Our staff and
community members are available to help:

ID 111111111 should be accessible for diagnostics