Redirect loop after cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: imsarah.lgbt

I ran this command: sudo certbot --nginx

It produced this output:

"- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory


(A)gree/©ancel: a


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: n

Which names would you like to activate HTTPS for?


1: imsarah.lgbt
2: www.imsarah.lgbt


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): imsarah.lgbt
** Error - Invalid selection **

Which names would you like to activate HTTPS for?


1: imsarah.lgbt
2: www.imsarah.lgbt


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for imsarah.lgbt
http-01 challenge for www.imsarah.lgbt
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/imsarah.lgbt
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/imsarah.lgbt

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP ac cess.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/imsarah.lg bt
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/imsarah.lg bt


Congratulations! You have successfully enabled https://imsarah.lgbt and
https://www.imsarah.lgbt

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=imsarah.lgbt
https://www.ssllabs.com/ssltest/analyze.html?d=www.imsarah.lgbt


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/imsarah.lgbt/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/imsarah.lgbt/privkey.pem
    Your cert will expire on 2020-09-05. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

My web server is (include version): nginx version: nginx/1.19.0

The operating system my web server runs on is (include version): debian 10 stable

My hosting provider, if applicable, is: lunanode VPS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): wordpress

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

I ran certbot and not my website is in a redirect loop, my nginx config is below

server {
root /var/www/imsarah;
index index.php;
server_name imsarah.lgbt www.imsarah.lgbt;

    access_log /var/log/nginx/imsarah.lgbt_access.log;
    error_log /var/log/nginx/imsarah.lgbt_error.log;

    client_max_body_size 64M;
      location = /favicon.ico {
        log_not_found off;
        access_log off;
      }

     location = /robots.txt {
       allow all;
       log_not_found off;
       access_log off;
  }

    location / {
            try_files $uri $uri/ /index.php?$args;
            }

    location ~ \.php$ {
            try_files $uri =404;
            include /etc/nginx/fastcgi_params;
            fastcgi_read_timeout 3600s;
            fastcgi_buffer_size 128k;
            fastcgi_buffers 4 128k;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_pass unix:/run/php/php7.3-fpm.sock;
            fastcgi_index index.php;
            }
      location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
            expires max;
           log_not_found off;
        }

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/imsarah.lgbt/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/imsarah.lgbt/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = www.imsarah.lgbt) {
return 301 https://$host$request_uri;
} # managed by Certbot

if ($host = imsarah.lgbt) {
    return 301 https://$host$request_uri;
} # managed by Certbot


    listen 80;
    server_name imsarah.lgbt www.imsarah.lgbt;
return 404; # managed by Certbot

Hi @milkerfish

checking your domain via https://check-your-website.server-daten.de/?q=imsarah.lgbt there is no redirect visible.

Your www version or a wildcard DNS entry isn’t defined:

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
imsarah.lgbt A 172.81.181.236 Toronto/Ontario/Canada (CA) - Cogent Communications Hostname: 236.181.81.172.lunanode-rdns.com yes 1 0
AAAA 2602:ffb6:4:28c2:f816:3eff:fef3:764f Toronto/Ontario/Canada (CA) - Cogent Communications yes
www.imsarah.lgbt Name Error yes 1 0
*.imsarah.lgbt A Name Error yes
AAAA Name Error yes
CNAME Name Error yes

That’s sometimes a source of redirects (www -> non-www -> www).

And your http redirects in one step to https:

Domainname Http-Status redirect Sec. G
http://imsarah.lgbt/ 172.81.181.236 301 https://imsarah.lgbt/ Html is minified: 109,03 % 0.223 A
http://imsarah.lgbt/ 2602:ffb6:4:28c2:f816:3eff:fef3:764f -14 10.033 T
Timeout - The operation has timed out
https://imsarah.lgbt/ 172.81.181.236 No GZip used - 3432 / 8103 - 42,35 % possible Inline-JavaScript (∑/total): 6/2246 Inline-CSS (∑/total): 2/318 200 Html is minified: 170,45 % 4.947 I
https://imsarah.lgbt/ 2602:ffb6:4:28c2:f816:3eff:fef3:764f -14 10.017 T
Timeout - The operation has timed out

But critical: You have ipv4 and ipv6 (that’s good), but your ipv6 doesn’t work.

If users connect your site via ipv6, they must hope, that the browser switches to ipv4.

That was partially and issue, however what I found out was by commenting out the lines added by certbot I got the site to work and when checking the SSL status is was verified by cloudflare. Going into my CF Dash account and disabling Cloudflare SSL and restarting nginx fixed the issue.

Regarding IPv6 I’m not sure why it doesn’t work and since my home ISP doesn’t support IPv6 I can’t do any real troubleshooting.

Then remove the AAAA entry, so no browser tries to connect that address.

PS: There are new checks.

But now

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
imsarah.lgbt A 172.81.181.236 Toronto/Ontario/Canada (CA) - Cogent Communications Hostname: 236.181.81.172.lunanode-rdns.com yes 1 0
AAAA 2602:ffb6:4:28c2:f816:3eff:fef3:764f Toronto/Ontario/Canada (CA) - Cogent Communications yes
www.imsarah.lgbt A 162.255.119.178 Newark/New Jersey/United States (US) - Namecheap No Hostname found yes

your non-www and your www have different ip addresses. Do you have really two different servers?

I only have 1 VPS, the www IP seems to be hitting namecheap’s nameserver. I’m honestly not sure why it’s doing that.

from my side these are my records (just removed AAAA) :(.

Namecheap seems to be something weird with their nameservers.

That’s the www record with that “Url Redirect record”. Remove that.

1 Like

facepalm

Sorry I’m relatively new and still learning, should I be using a CNAME record instead to redirect www to non-www because without that record my site is inaccessible using www?

Both is possible. Create a CNAME -> main domain or a second A -> same ip address.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.