So I have several servers configured similarly. All of them redirect http directly to https. On the main server the certbot renewal process has been running for years without a problem, upon renewal I see a request to the http server, it gets a 301 response and I then see a request to the https server and things work as normal.
On the server I'm attempting to refresh I see the initial request to the http server and the 301 response. I then do not see another request and I simply see a redirect loop detected error. Attempting this using curl I see appropriate responses and they work as expected: curl http://kibana.spansh.co.uk/.well-known/acme-challenge/kOonsBWq4xZeV7RLzKn1bwVNM2i9s0vkOFulVfAUTsM -v
responds with the following header Location: https://kibana.spansh.co.uk/.well-known/acme-challenge/kOonsBWq4xZeV7RLzKn1bwVNM2i9s0vkOFulVfAUTsM
I ran this command: certbot certonly --webroot --webroot-path /var/www/ssl-proof/ --force-renewal --post-hook '/etc/init.d/nginx reload' --dry-run --cert-name kibana.spansh.co.uk --debug-challenges -v
It produced this output:
Challenge failed for domain kibana.spansh.co.uk
http-01 challenge for kibana.spansh.co.uk
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: kibana.spansh.co.uk
Type: connection
Detail: 136.243.20.72: Fetching https://kibana.spansh.co.uk/.well-known/acme-challenge/ZnvEukHLrVvoBJL5V-VHMyXIZZTYkswH4eWcrCXhj9Q: Redirect loop detected
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
My web server is (include version): nginx 1.22.0
The operating system my web server runs on is (include version): Linux Ubuntu bullseye
My hosting provider, if applicable, is: Hetzner
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.28.0
Currently, I'm not getting a redirect loop, but a 404 file not found when trying the challenge. Probably due to the fact Certbot isn't running any longer. Which makes this kinda difficult to debug.
First thing I'd think is rogue .htaccess files redirecting or perhaps misconfigured Wordpress.
It's not running Wordpress, in fact there's not really much running on the rest of the site at the moment. The well-known direction (location) is specifically handled as a separate docroot, so it's purely nginx, There isn't a htaccess, though the rest of the site (not under .well-known) is behind basic http auth.
Ok, after your IPv6 prod I've checked it and I'd forgotten to add a listen [::]:443 ssl http2; to my https side.
After I fixed that it has allowed me to renew fine. I suspect that the error reporting on the certbot/letsencrypt side was flawed. It saw it could request on IPv6 on port 80 and the failure on port 443 caused it to think it was a redirect loop.
Not sure if IPv6 was the issue. I could get the challenge fine without your fix and Boulder, the software doing the Let's Encrypt validation, would definitely give a different error if there was something else than an actual redirect loop.
But I guess it's a good thing it worked now? Although I'm not sure you're definitely out of the woods for future renewals, keep a close eye I'd say
I suspect perhaps a logic error on the Lets Encrypt side, http worked and redirected, https failed due to no connection and it reported redirect loop when it potentially should have been caught another way.
On an unrelated note, my god the amount of attempted scans/hacks/nmaps/probes on that server since I posted here (it always had some, I just saw an increase of a few thousand percent).
Threads on this site are also indexed by search engines VERY quickly, so I'm not surprised.
Also note that all certificates are logged to Certificate Transparancy Logs and hackers can easily monitor those logs for new hostnames and try out stuff. For example, if your Wordpress site isn't secure and "wide open", but you get a public certificate anyway, this can lead to trouble.
Which emphasises the importance of having your server and public applications secure FIRST before you put it out there on the internet.