Redirect loop detected

Help
1

Hello everyone. I need help.

Summary:
certbot 1.12.0
nginx/1.22.0
Steps to reproduce:
I have a forwarding from port 80 to 433

server {
   listen [::]:80;
   listen 80;
   server_name vmasshtabe.ru;

    location / {
        return 301 https://$host$request_uri;
        set $root_path /var/www/vmasshtabe.ru/web;
        root $root_path;
        index  index.html index.htm;
    }

If you remove the redirect, the certificate is obtained successfully.

Expected result:
certbot certonly --dry-run -d vmasshtabe.ru -w /var/www/vmasshtabe.ru/web
IMPORTANT NOTES:

The dry run was successful.

Actual result:

curl -I https://vmasshtabe.ru/.well-known/acme-challenge/example.html
HTTP/2 200 
server: nginx
date: Fri, 04 Oct 2024 18:45:22 GMT
content-type: text/html; charset=utf-8
content-length: 8
last-modified: Fri, 04 Oct 2024 11:17:20 GMT
etag: "66ffcec0-8"
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-ua-compatible: IE=Edge
accept-ranges: bytes

"challenges": [
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14276984633/B5KBvQ",
      "status": "invalid",
      "validated": "2024-10-04T18:15:23Z",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "185.12.95.219: Fetching https://vmasshtabe.ru/.well-known/acme-challenge/_2aJH8V8Qz3mTvzXRINo0-SGgRKzakl74nRmJeDt5zo: Redirect loop detected",
        "status": 400
      },
      "token": "_2aJH8V8Qz3mTvzXRINo0-SGgRKzakl74nRmJeDt5zo",
      "validationRecord": [
        {
          "url": "http://vmasshtabe.ru/.well-known/acme-challenge/_2aJH8V8Qz3mTvzXRINo0-SGgRKzakl74nRmJeDt5zo",
          "hostname": "vmasshtabe.ru",
          "port": "80",
          "addressesResolved": [
            "185.12.95.219",
            "2a03:80c0:1:dea::"
          ],
          "addressUsed": "2a03:80c0:1:dea::"
        },
        {
          "url": "https://vmasshtabe.ru/.well-known/acme-challenge/_2aJH8V8Qz3mTvzXRINo0-SGgRKzakl74nRmJeDt5zo",
          "hostname": "vmasshtabe.ru",
          "port": "443",
          "addressesResolved": [
            "185.12.95.219",
            "2a03:80c0:1:dea::"
          ],
          "addressUsed": "2a03:80c0:1:dea::"
        },
        {
          "url": "http://vmasshtabe.ru/.well-known/acme-challenge/_2aJH8V8Qz3mTvzXRINo0-SGgRKzakl74nRmJeDt5zo",
          "hostname": "vmasshtabe.ru",
          "port": "80",
          "addressesResolved": [
            "185.12.95.219",
            "2a03:80c0:1:dea::"
          ],
          "addressUsed": "185.12.95.219"
        }
      ]

Tell me where to look for the problem?

2

It looks like a firewall device doing that. But, the first thing I would fix is your DNS entries

You have both A and AAAA records but you only listen for IPv4 (A) in your nginx. I also think your AAAA is incorrect. You should correct its value and update your nginx to listen on ipv6 too. Or, just remove the AAAA record if you do not support IPv6.

4 Likes
3

Hi @ws256, and welcome to the LE community forum :slight_smile:

What does the HTTPS vhost look like?

1 Like
4 
{
  "identifier": {
    "type": "dns",
    "value": "vmasshtabe.ru"
  },
  "status": "valid",
  "expires": "2024-11-04T09:01:06Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14285894423/CNrqRA",
      "status": "valid",
      "validated": "2024-10-05T09:01:02Z",
      "token": "ipCcfqTrMXGjySy1AQG4DKYUTqSOJjQj2WpTAGAjbuU",
      "validationRecord": [
        {
          "url": "http://vmasshtabe.ru/.well-known/acme-challenge/ipCcfqTrMXGjySy1AQG4DKYUTqSOJjQj2WpTAGAjbuU",
          "hostname": "vmasshtabe.ru",
          "port": "80",
          "addressesResolved": [
            "185.12.95.219",
            "2a03:80c0:1:dea::"
          ],
          "addressUsed": "2a03:80c0:1:dea::"
        },
        {
          "url": "http://vmasshtabe.ru/.well-known/acme-challenge/ipCcfqTrMXGjySy1AQG4DKYUTqSOJjQj2WpTAGAjbuU",
          "hostname": "vmasshtabe.ru",
          "port": "80",
          "addressesResolved": [
            "185.12.95.219",
            "2a03:80c0:1:dea::"
          ],
          "addressUsed": "185.12.95.219"
        }
      ]
    }
  ]
}
{
  "identifier": {
    "type": "dns",
    "value": "vmasshtabe.ru"
  },
  "status": "deactivated",
  "expires": "2024-11-04T09:01:06Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14285894423/CNrqRA",
      "status": "valid",
      "validated": "2024-10-05T09:01:02Z",
      "token": "ipCcfqTrMXGjySy1AQG4DKYUTqSOJjQj2WpTAGAjbuU",
      "validationRecord": [
        {
          "url": "http://vmasshtabe.ru/.well-known/acme-challenge/ipCcfqTrMXGjySy1AQG4DKYUTqSOJjQj2WpTAGAjbuU",
          "hostname": "vmasshtabe.ru",
          "port": "80",
          "addressesResolved": [
            "185.12.95.219",
            "2a03:80c0:1:dea::"
          ],
          "addressUsed": "2a03:80c0:1:dea::"
        },
        {
          "url": "http://vmasshtabe.ru/.well-known/acme-challenge/ipCcfqTrMXGjySy1AQG4DKYUTqSOJjQj2WpTAGAjbuU",
          "hostname": "vmasshtabe.ru",
          "port": "80",
          "addressesResolved": [
            "185.12.95.219",
            "2a03:80c0:1:dea::"
          ],
          "addressUsed": "185.12.95.219"
        }
      ]
    }
  ]
}
IMPORTANT NOTES:
 - The dry run was successful.

Based on the log, it tries to contact via ipv6
Maybe @mikemcq right

In the nginx rules I did not configure the reception of 443 for ipv6. I also did not configure iptables for ipv6.

First, I will try to remove ipv6 from DNS
If the problem is solved, then it will be necessary to correctly configure nginx.

The problem appeared after updating the nginx configuration for a different stack, so most likely the problem is ipv6.

1 Like
5

Removed IPV6 from DNS, everything started working.
It's clear what to do next.
Thanks everyone.

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.