Plesk certification issue

My domain is: envisual.eu

We've got a Plesk server running several dozen domains, many of which use Let's Encrypt via the Plesk integration. However, when we added the above domain and tried to set up the usual cert, we got the following error:


Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/4839859361.

Details:

Type: urn:ietf:params:acme:error:connection

Status: 400

Detail: Fetching http://www.envisual.eu/.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc: Error getting validation data

Looking at the site's access_log I saw the following:

18.196.96.172 - - [27/May/2020:09:24:58 +0200] "GET /.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc HTTP/1.1" 301 639 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.15.254.228 - - [27/May/2020:09:24:58 +0200] "GET /.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc HTTP/1.1" 301 639 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [27/May/2020:09:24:58 +0200] "GET /.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc HTTP/1.1" 301 639 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.209.232.166 - - [27/May/2020:09:24:58 +0200] "GET /.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc HTTP/1.1" 301 639 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

The '301' code indicates that it sent a redirect, so I fired up tcpdump/wireshark to see what it was redirecting to and it seemed to be redirecting to itself:

GET /.well-known/acme-challenge/IzNuEvCUckHes7evHcwUVgn2WBPZ0c0XXCRySrNsA1k HTTP/1.1
Host: envisual.eu
User-Agent: Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)
Accept: /
Accept-Encoding: gzip
Connection: close

HTTP/1.1 301 Moved Permanently
Date: Wed, 27 May 2020 07:30:17 GMT
Server: Apache
Location: http://www.envisual.eu/.well-known/acme-challenge/IzNuEvCUckHes7evHcwUVgn2WBPZ0c0XXCRySrNsA1k
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-1

Even deleting the entire contents of the site didn't change the behavior; other sites on the same server work fine.

What's even more confounding is that attempting a manual download of the challenge using wget yields the file just fine, even if I set the certbot values as user-agent string:

89.20.64.133 - - [27/May/2020:09:37:08 +0200] "GET /.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc HTTP/1.1" 200 353 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
83.162.2.112 - - [27/May/2020:09:37:42 +0200] "GET /.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc HTTP/1.1" 200 353 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

I'm completely out of ideas at this point. If there's anything anyone thinks I could have overlooked, I'd love to hear it.

1 Like

The “error getting validation data” might actually be a fallback error relating to the ICMP error code when trying to connect to your domain over IPv6: https://letsdebug.net/www.envisual.eu/151471

Try fixing that first, and then see whether the infinite redirect is still relevant. I suspect that just fixing the IPv6 should be sufficient. There’s some peculiar address selection behavior that can sometimes occur when redirects and IPv6 are involved, and your situation reads exactly like one of those situations.

Generally, Let’s Encrypt provides a specific error when maximum redirects are exceeded, as in the case of a redirect loop.

4 Likes

This turned out to be it. They were hosting their DNS at a third party, so it’s going to be up to them to fix this.

Thanks!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.