How fix: 301 Moved Permanently (cloudflare + letsencrypt)?


#1

My domain is: worldmin.ru

I ran this command:
curl -I https://worldmin.ru

It produced this output:
HTTP/1.1 301 Moved Permanently

My web server is: nginx/1.12.1

The operating system my web server runs on is: Ubuntu 17.10

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no


#2

Hi,

So what’s the problem?


#3

I can not access the site
HTTP/1.1 301 Moved Permanently


#4

Ok.

When I’m accessing your server.

Http version redirect me to https, however the https report cloudflare 521 error.

Can you try turning off cloudflare (root can) for a while and see if that works?

Thank you


#5

Without it, it worked


#7

Please check if you have both server rewrite (on server end as well as cloudflare https rewrite enabled)

(I’m not sure what’s the issue, my best guess is this since it’s the only rewrite involved)


#8

Accessing the origin server directly works fine both over HTTP and HTTPS (ignoring the obvious certificate name mismatch) so I’m not sure what this issue has to do with Let’s Encrypt.

Your best bet may be to reach out to Cloudflare support, and also check that you don’t have any Cloudflare page rules setup. (and your site seems to be in “I’m Under Attack!” mode as well …, at least based on the captcha I receive every time I visit it).

Seems like you may have pressed too many buttons in the Cloudflare UI.


#9

Hi @draxxx,

I checked it yesterday but I couldn’t write a post. Yesterday, and seems today too (the only difference is that right now, as @_az said, cloudflare is presenting a captcha) your ORIGIN server has redirect directives configured in your web server or some rewrite rules which are redirecting your site as @stevenzhu commented a few posts above. If you are using Flexible SSL you MUST remove these redirections from your ORIGIN server or you get an infinite loop (as you are observing right now). You could also switch to Full SSL if your origin server has a certificate or switch to Full SSL (strict) is your origin server has a valid certificate.

Whatever, the best approach is to review your redirection/rewrite rules on your ORIGIN server and drop them.

Good luck,
sahsanu


#11

Hi @draxxx,

Did you restart your nginx?. Are you using Flexible SSL, Full SSL or Full SSL (strict)?. Do you have any page rule configured in Cloudflare for your domain?.

Cheers,
sahsanu


#12

For sure the redirect is still present at the origin

$ curl -I -X GET -H 'Host: worldmin.ru' http://85.113.39.67/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 19 Mar 2018 08:49:52 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://worldmin.ru:443/

Try reload nginx as @sahsanu suggested, or at least get the full config from nginx -T and dump it here.


#14

You have this yet:

server {
    listen *:80;
    server_name worldmin.ru;
 
    charset off;
    index index.php;
    ssi on;
    return 301 https://worldmin.ru:443$request_uri;
}

Comment it and restart nginx (also, you should not use ssl on; on this server block.


#16

We have all certificates on the router.
And from the server the usual http is required?

We have pfs with a certificate and ubuntu with certbot and there and there https certificates


#17

What has likely happened is that you commented out all the port 80 listeners, and now nginx is no longer listening on port 80, because it has no need.

May I suggest making your primary https listener also listen on port 80, as documented here: http://nginx.org/en/docs/http/configuring_https_servers.html#single_http_https_server

In your case, I believe this can be achieved by adding a second listen directive below your current one and changing the existing one to include ssl:

listen *:443 ssl;
listen *:80;
server_name worldmin.ru;

and then remove

ssl on;

#18

As @_az said, if you are using Flexible SSL on Cloudflare use @_az, suggestion, if you were using Full SSL you shouldn’t need to create a server block listening on port 80.


#19

thanks to all
the problem disappeared


#20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.