I am experiencing the following issues with certificate renewal for my domain, can you provide a solution?
First of all, I'm using Ubuntu 12.02, and I'm using certbot-auto (certbot 1.4.0), so the version itself is very outdated, but I'm not in a position to do an OS update, I need to fix the certificate renewal issue at this point.
I'm getting a 'redirect loop detected' error, and I'd be grateful if you could help me figure out what the problem is, what to check, and how to fix it.
Below is our current domain, the command we used to renew the certificate, and the error log we got.
My domain is: mics.snu.ac.kr
I ran this command:
certbot-auto renew --no-self-upgrade
It produced this output:
Waiting for verification...
Challenge failed for domain mics.snu.ac.kr
http-01 challenge for mics.snu.ac.kr
Cleaning up challenges
Attempting to renew cert (mics.snu.ac.kr) from /etc/letsencrypt/renewal/mics.snu.ac.kr.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mics.snu.ac.kr/fullchain.pem (failure)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mics.snu.ac.kr/fullchain.pem (failure)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version): Apache/2.2.22 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 12.04
I think we went through this with you before. There is some sort of firewall redirecting the first request but adding a sequence number. If you follow that sequence number redirect you get redirected back to the original. Let's Encrypt treats this as a loop even though if you continue to follow these you will get to the right place.
Below is a thread for band.snu.ac.kr. That is a very similar name to the one you reported in this thread
You need to work with your hosting company or security (firewall) provider about this. Or, you may need to switch to using a DNS Challenge or even a different Certificate Authority (not Let's Encrypt)
And, yes, your system is very old with known security holes. It isn't affecting this particular problem but your system is vulnerable.
Here is the same kind of replies from your server. Note the first two redirects do not have a "Server" header. This usually means it is some kind of firewall or security device.
curl -i http://mics.snu.ac.kr
HTTP/1.0 302 Found
Location: http://mics.snu.ac.kr/00515932259/
curl -i http://mics.snu.ac.kr/00515932259/
HTTP/1.0 302 Found
Location: http://mics.snu.ac.kr/
curl -i http://mics.snu.ac.kr/
HTTP/1.1 301 Moved Permanently
Server: Apache/2.2.22 (Ubuntu)
Location: https://mics.snu.ac.kr/
Thank you for your kind reply.
Currently, our servers are managed by us, and we're pretty much non-technical people who have never studied servers.
Thay's why I didn't quite understand your answer, but am I correct in saying that the redirection is being caused by some sort of firewall or security device setting?
If that's correct, I would like to fix this by modifying the firewall settings and would really appreciate some guidance on how to do that.
I wish I had more details. We have seen this pattern of problem before but no one has described how they corrected it.
You might just try re-running the renew command. The problem redirect is only issued for new IP addresses connecting to your server. Repeating the renew might get lucky and use the same Let's Encrypt Auth server as last time. Then that redirect won't be made and the renew should work. I explained this in that earlier thread for your domain.
If you can't find someone to locate the source of that redirect you should look into the DNS Challenge or use a different Certificate Authority. Perhaps get expert help on upgrading your server and have them fix these problems at the same time.
Thank you for your help!
I resolved my certificate renewal error by switching from HTTP-01 to DNS-01 validation. The HTTP-01 method kept failing (still does not work...), so I switched to DNS-01. This method worked flawlessly and resolved the renewal issue.
Thank you again!