Request for certificate of a new domain name failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
old: www.bio-creative.cloud(succeeded in getting the certificate) new: www.bio-marker.info(failed to request for certificate for this domain)
I ran this command:
prior to making request I ran a test
acme.sh --issue --server letsencrypt --test -d www.bio-marker.info -w /mydirectory/html --keylength ec-256

and made an official request:
acme.sh --issue -d www.bio-marker.info -w /mydirectory/html --keylength ec-256 --force

It produced this output:
[Tue Oct 18 06:00:08 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Oct 18 06:00:08 UTC 2022] Single domain='www.bio-marker.info'
[Tue Oct 18 06:00:08 UTC 2022] Getting domain auth token for each domain
[Tue Oct 18 06:00:09 UTC 2022] Getting webroot for domain='www.bio-marker.info'
[Tue Oct 18 06:00:09 UTC 2022] Verifying: www.bio-marker.info
[Tue Oct 18 06:00:09 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Tue Oct 18 06:00:13 UTC 2022] www.bio-marker.info:Verify error:149.28.64.67: Fetching https://www.bio-marker.info/.well-known/acme-challenge/d2aljjYbHkqi5x64lvMOMEcdpbsRdTXN2oyQixIw658: Redirect loop detected
[Tue Oct 18 06:00:13 UTC 2022] Please add '--debug' or '--log' to check more details.
[Tue Oct 18 06:00:13 UTC 2022] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub
[Tue Oct 18 06:02:16 UTC 2022] _CURL='curl --silent --dump-header /mydirectory/.acme.sh/http.header -L -g --connect-timeout 1'
[Tue Oct 18 06:02:16 UTC 2022] Please refer to libcurl - Error Codes for error code: 51
[Tue Oct 18 06:02:16 UTC 2022] ret='51'
[Tue Oct 18 06:02:16 UTC 2022] Debugging, skip removing: /mydirectory/html/.well-known/acme-challenge/VaIu2vTNp6alBBOlsLhJdRF1dSV7Z4usA2tE-6MJjUw
[Tue Oct 18 06:02:16 UTC 2022] pid
[Tue Oct 18 06:02:16 UTC 2022] No need to restore nginx, skip.
[Tue Oct 18 06:02:16 UTC 2022] _clearupdns
[Tue Oct 18 06:02:16 UTC 2022] dns_entries
[Tue Oct 18 06:02:16 UTC 2022] skip dns.
[Tue Oct 18 06:02:16 UTC 2022] _on_issue_err
[Tue Oct 18 06:02:16 UTC 2022] Please add '--debug' or '--log' to check more details.
[Tue Oct 18 06:02:16 UTC 2022] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub
[Tue Oct 18 06:02:16 UTC 2022] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/165846074766/IcG5MQ'
[Tue Oct 18 06:02:16 UTC 2022] payload='{}'
[Tue Oct 18 06:02:16 UTC 2022] POST
[Tue Oct 18 06:02:16 UTC 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/165846074766/IcG5MQ'
[Tue Oct 18 06:02:16 UTC 2022] _CURL='curl --silent --dump-header /mydirectory/.acme.sh/http.header -L -g '
[Tue Oct 18 06:02:17 UTC 2022] _ret='0'
[Tue Oct 18 06:02:17 UTC 2022] code='400'
[Tue Oct 18 06:02:17 UTC 2022] socat doesn't exist.

My web server is (include version):
nginx/1.14.X
The operating system my web server runs on is (include version):
Ubuntu 18.X
My hosting provider, if applicable, is:
not applicable; a VM instance
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I am using acme.sh instead

Hello everyone,
My old domain url was blocked or filtered by our country firewall. The old domain "bio-creative.cloud" previously worked great with the provided LE certificate. When I noticed that the domain was blocked from our end, I just changed the directory containing the web pages to different one and afterward ordered new domain name and renewed IP address for this web server accordingly.
But when I attempted to make a completely new request for certificate using acme.sh the same way I did for my old domain bio-creative.cloud, it came out the error output you may see above. I previously guessed it was the matter of the existing old domain name, which led me to completely removing the old domain name using the command acme.sh revoke & remove; But doing so doesn't help at all. Could you just kindly help with this issue ?

Thanks a lot.

1 Like

Welcome to the community @SamZhao

A couple things first:
You show using --test and proceeding to production. Did the --test work? Because if it failed there is no point trying production

You use --force but this will not help and can sometimes create worse problems with rate limits. This option does not ignore problems getting a cert.

With that said, I understand what can cause the "redirect loop detected" error but I no longer see your server doing that. You currently redirect the HTTP Challenge request to HTTPS but the HTTPS connection fails. You either need to fix your HTTPS request or process the http challenge in your nginx http server block (the one for port 80).

The Let's Debug test site is often helpful when setting up new sites.

4 Likes

Thanks Mike for providing the direction. I'll check that later. Then there is nothing to do with the old domain name which I made it obsolete.

2 Likes

Once your new name is working you can remove the old name from nginx and delete the cert from acme.sh.

But, connections using your old name work. The only problem is someone revoked your certificate with a reason saying "keyCompromise". I don't see any reason why you could not get a new cert with a fresh key using that old name. Or, get a new cert for your new name - whichever you prefer.

See a site like this SSL Checker

4 Likes

Hi Mike. I made it work following your suggestion.The reason why it did not work was due to the fact that I forgot seting up the listen port to "80" in the server block(nginx).
Thanks ; )

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.