About certbot webroot renew

gog · December 20, 2020, 11:49pm

Hi. I am running nodejs(express) server. I got my ssl certs via certbot with webroot validation. I runed certbot renew command in dry mode with failure result. Now i have a few questions, to what a cant find answers.

Looks like i need http-01 file for renew certs. This was surprise for me because i thought i need it only for initial getting certs. This file was auto deleted when i rebuild my react project. Is there a possibility to restore it? Some copy in certbot dirrectories or new request for it via certbot, etc? Or i need new certs now?
I was planned to disable http and remain only https. If validation possible only by checking http-01, can letsencrypt check it via https (some people in comments said that it can and some that it cant)?

griffin · December 20, 2020, 11:56pm

Welcome to the Let's Encrypt Community

The http-01 challenge file will be different each time you renew. It is not needed once it has been used.

You should always keep port 80 (http) open for requests. You can forward those requests to port 443 (https) if you wish.

gog · December 21, 2020, 12:01am

Thanks for your help and fast reply. And now when this file deleted what can i do to restore it? Or i should just wait till license ends in 3 month and make new to get http-01 file? As i mentioned renew command in run-dry mode failed with error

griffin · December 21, 2020, 12:07am

You don't need the http-01 challenge(s) file for your certificate(s) to work. A different challenge file is created for each (sub)domain name each time you acquire/renew a certificate. Your ACME client (e.g. certbot) creates/deletes the challenge file(s) automatically (unless you're using manual mode).

Please post the entire command you are using along with its output. Put ``` on a line by itself above and below the output to make it easier to read.

gog · December 21, 2020, 12:10am

I am just trying to understand can i renew certs without http-01, because test renew fails without it. I will have new file if renew, but i cant renew without it right or can? From your words i understood that reason is not in http-01 absentse.

griffin · December 21, 2020, 12:14am

Nope. The Let's Encrypt server probably can't GET the challenge file due to a configuration problem.

Hence...

gog · December 21, 2020, 12:28am

I delete this file when rebuild my REACT project. I dont have it. Dont have file http-01.. I am asking now can i renew cert without it or not? I dont understood your answer. Yes or not. If i can renew without it i will and that is all. If i cant than what should i do? That is my question. Not about what error means..

OUTPUT

Challenge failed for domain getringtones.ddns.net
http-01 challenge for getringtones.ddns.net
Cleaning up challenges
Attempting to renew cert (getringtones.ddns.net) from /etc/letsencrypt/renewal/getringtones.ddns.net.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/getringtones.ddns.net/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/getringtones.ddns.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: getringtones.ddns.net
Type: connection
Detail: Fetching
http://getringtones.ddns.net/.well-known/acme-challenge/zIByGP8Mx6emGOgf2II5GNbFp-_KqX6LsfC6F2a7CUQ:
Timeout during connect (likely firewall problem)

griffin · December 21, 2020, 12:54am

The http-01 challenge file is just a file with a (somewhat) random name and (somewhat) random information. Yes, if you are satisfying an http-01 challenge you will need certbot to create the challenge file in the right place (/.well-known/acme-challenge/) to prove that you control getringtones.ddns.net in order to get a certificate.

Now... based on what you've provided...

It looks like port 80 is closed for getringtones.ddns.net. Even though you are using HSTS, you should still keep port 80 (http) open and forward the requests from port 80 (http) to port 443 (https).

Certificate History

Osiris · December 21, 2020, 6:43am

For every hostname authorization attempt, a new http-01 challenge token (and thus file) is generated. You don't need the exact same previous http-01 challenge file, but you do need a new one for future renewals.

griffin · December 21, 2020, 7:55am

The end of your deleted response was exactly correct.

Looks like letsencrypt after "certbot renew" command will generate http-01 and then in one step checks its availability and after that i can delete it till new renew will generate new file

system · January 20, 2021, 8:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.