Hi. I am running nodejs(express) server. I got my ssl certs via certbot with webroot validation. I runed certbot renew command in dry mode with failure result. Now i have a few questions, to what a cant find answers.
Looks like i need http-01 file for renew certs. This was surprise for me because i thought i need it only for initial getting certs. This file was auto deleted when i rebuild my react project. Is there a possibility to restore it? Some copy in certbot dirrectories or new request for it via certbot, etc? Or i need new certs now?
I was planned to disable http and remain only https. If validation possible only by checking http-01, can letsencrypt check it via https (some people in comments said that it can and some that it cant)?
Thanks for your help and fast reply. And now when this file deleted what can i do to restore it? Or i should just wait till license ends in 3 month and make new to get http-01 file? As i mentioned renew command in run-dry mode failed with error
You don't need the http-01 challenge(s) file for your certificate(s) to work. A different challenge file is created for each (sub)domain name each time you acquire/renew a certificate. Your ACME client (e.g. certbot) creates/deletes the challenge file(s) automatically (unless you're using manual mode).
Please post the entire command you are using along with its output. Put ``` on a line by itself above and below the output to make it easier to read.
I am just trying to understand can i renew certs without http-01, because test renew fails without it. I will have new file if renew, but i cant renew without it right or can? From your words i understood that reason is not in http-01 absentse.
I delete this file when rebuild my REACT project. I dont have it. Dont have file http-01.. I am asking now can i renew cert without it or not? I dont understood your answer. Yes or not. If i can renew without it i will and that is all. If i cant than what should i do? That is my question. Not about what error means..
OUTPUT
Challenge failed for domain getringtones.ddns.net
http-01 challenge for getringtones.ddns.net
Cleaning up challenges
Attempting to renew cert (getringtones.ddns.net) from /etc/letsencrypt/renewal/getringtones.ddns.net.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/getringtones.ddns.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/getringtones.ddns.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
The http-01 challenge file is just a file with a (somewhat) random name and (somewhat) random information. Yes, if you are satisfying an http-01 challenge you will need certbot to create the challenge file in the right place (/.well-known/acme-challenge/) to prove that you control getringtones.ddns.net in order to get a certificate.
Now... based on what you've provided...
It looks like port 80 is closed for getringtones.ddns.net. Even though you are using HSTS, you should still keep port 80 (http) open and forward the requests from port 80 (http) to port 443 (https).
For every hostname authorization attempt, a new http-01 challenge token (and thus file) is generated. You don't need the exact same previous http-01 challenge file, but you do need a new one for future renewals.
The end of your deleted response was exactly correct.
Looks like letsencrypt after "certbot renew" command will generate http-01 and then in one step checks its availability and after that i can delete it till new renew will generate new file
