Problem with certificate Redirect loop detected

Hello I'm having trouble to receive a certificate. I don't know exactly where to troubleshoot. My configs for the acme-client and httpd are equivalent to this Secure Webserver (httpd+SSL) | OpenBSD Handbook.

My domain is: vega4.net

I ran this command: acme-client -v vega4.net

It produced this output:
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: acme-v02.api.letsencrypt.org: DNS: 2606:4700:60:0:f53d:5624:85c7:3a2c
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/216401444697
acme-client: challenge, token: dpKTAplNY9YcWmsBRnSEcRt8wghkVXrPnlsQs5Qxqps, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/216401444697/ZrGpKg, status: 2
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/217013251367
acme-client: challenge, token: -SzfqInlZlmNymaj5zsqUAmwNeBUDi2FwW7T_ihCvMk, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/217013251367/UMX44g, status: 0
acme-client: /var/www/acme/-SzfqInlZlmNymaj5zsqUAmwNeBUDi2FwW7T_ihCvMk: created
acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/217013251367/UMX44g: challenge
acme-client: order.status 0
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/216401444697
acme-client: challenge, token: dpKTAplNY9YcWmsBRnSEcRt8wghkVXrPnlsQs5Qxqps, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/216401444697/ZrGpKg, status: 2
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/217013251367
acme-client: challenge, token: -SzfqInlZlmNymaj5zsqUAmwNeBUDi2FwW7T_ihCvMk, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/217013251367/UMX44g, status: -1
acme-client: order.status -1
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/216401444697
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/217013251367
acme-client: 46.23.92.205: Fetching https://www.vega4.net/.well-known/acme-challenge/-SzfqInlZlmNymaj5zsqUAmwNeBUDi2FwW7T_ihCvMk: Redirect loop detected

My web server is (include version): httpd

The operating system my web server runs on is (include version): OpenBSD 7.2

My hosting provider, if applicable, is: openbsd.amsterdam

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme-client

Hello @sunny23, welcome to the Let's Encrypt community. :slightly_smiling_face:

This is confusing to me; maybe the error is a of https://man.openbsd.org/acme-client bug, because I do not see how it can connect to HTTPS (i.e. Port 443). And for others not familiar with OpenBSD the httpd is this one httpd(8) - OpenBSD manual pages

I only see Port 25 and Port 80 Open

1 Like

Also https://unboundtest.com/m/CAA/vega4.net/KTUEHKXW
Your DNS CAA record has a typo "letsencrpy.org" needs to be "letsencrypt.org"

Query results for CAA vega4.net

Response:
;; opcode: QUERY, status: NOERROR, id: 62255
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;vega4.net.	IN	 CAA

;; ANSWER SECTION:
vega4.net.	0	IN	CAA	0 issue "letsencrpy.org"

----- Unbound logs -----
Apr 05 23:31:19 unbound[1015343:0] notice: init module 0: validator
Apr 05 23:31:19 unbound[1015343:0] notice: init module 1: iterator
2 Likes

Here is a list of issued certificates crt.sh | vega4.net, all have "Matching Identities" (i.e. SANs) of vega4.net and www.vega4.net. Since acme-client(1) - OpenBSD manual pages only implements the “http-01” challenge type of the Challenge Types - Let's Encrypt. The Let's Encrypt implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. Both vega4.net and www.vega4.net have to be challenged and respond properly (including the above mentioned DNS CAA records; as shown here https://letsdebug.net/vega4.net/1435352)

1 Like

The error you've quoted is from the Let's Encrypt validation server. The URL shown in that error message is the final URL and not the first request, which always uses HTTP indeed. But if there is a HTTP to HTTPS redirect, the Boulder error message shows the https:// URL. So that's why you can see a HTTPS request in a http-01 error message.

Currently your HTTP port 80 webserver shows a 404 file not found which is to be expected, but your HTTPS port 443 webserver returns a "Connection refused", so we cannot debug that any longer.
But the redirect loop is most likely due to incorrect redirect logic on the webserver configuration level.

4 Likes

Thank you @Osiris! :slight_smile:
(I have an infinite amount of learning to do and a finite amount of time.)

1 Like

Join the club :wink:

4 Likes

Thanks for finding the typo! letsdebug.net and unboundtest.com are really helpful as well. It seems to work now. I guess next time i have to triple check every entry and config before posting :smile:

acme-client: /etc/ssl/vega4.net.crt: created
acme-client: /etc/ssl/vega4.net.fullchain.pem: created

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.