SSL certificate issue by redirect loop in flask

GAIS · July 28, 2023, 4:45am

Hi, I have created a flask app on Ubuntu 22.04.2 LTS in an on-premise way and it works fine in http way and I am trying to get SSL authentication with Let's Encrypt, but I am getting Redirect loop detected error. I tried to fix this with various things, but nothing worked, so I'm asking the community for help.

SSL certificate error

root@gislbs-desktop:/home/gislbs# snap install --classic certbot
certbot 2.6.0 from Certbot Project (certbot-eff✓) installed
root@gislbs-desktop:/home/gislbs# ln -s /snap/bin/certbot /usr/bin/certbot
root@gislbs-desktop:/home/gislbs# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: api.skie.fun
2: www.api.skie.fun
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for api.skie.fun and www.api.skie.fun

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: api.skie.fun
  Type:   connection
  Detail: 147.46.35.182: Fetching http://api.skie.fun/.well-known/acme-challenge/-0KI7puEoBk7ZCCrncxEPZ6dnmTYVYab_MT8pMOJz3Q: Redirect loop detected

  Domain: www.api.skie.fun
  Type:   connection
  Detail: 147.46.35.182: Fetching http://www.api.skie.fun/.well-known/acme-challenge/vdJmNOIltRcC3oThZzSl4T4_aGNoDtHSKQKTrWt6KK4: Redirect loop detected

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Firewall status

root@gislbs-desktop:/home/gislbs# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
7687                       ALLOW       Anywhere
7687/tcp                   ALLOW       147.46.35.182
7687/tcp                   ALLOW       147.46.35.0/24
7474                       ALLOW       Anywhere
7473                       ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
7687 (v6)                  ALLOW       Anywhere (v6)
7474 (v6)                  ALLOW       Anywhere (v6)
7473 (v6)                  ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

NGINX configuration

root@gislbs-desktop:/etc/nginx/sites-available# nano ./flaskProject
  GNU nano 6.2                                                                                  ./flaskProject
server {
    listen 80;
    server_name api.skie.fun www.api.skie.fun;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/html;
        allow all;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/skie/PycharmProjects/flaskProject/flaskProject.sock;
        add_header Content-Security-Policy "default-src 'none'; script-src 'none'; object-src 'self'; frame-ancestors 'self';";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
    }

}

error log

root@gislbs-desktop:/etc/nginx/sites-available# less /var/log/letsencrypt/letsencrypt.log
2023-07-28 13:24:07,647:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2023-07-28 13:24:07,789:DEBUG:certbot._internal.main:certbot version: 2.6.0
2023-07-28 13:24:07,789:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/3024/bin/certbot
2023-07-28 13:24:07,789:DEBUG:certbot._internal.main:Arguments: ['--nginx', '--preconfigured-renewal']
2023-07-28 13:24:07,789:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#st
andalone,PluginEntryPoint#webroot)
2023-07-28 13:24:07,794:DEBUG:certbot._internal.log:Root logging level set at 30
2023-07-28 13:24:07,794:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2023-07-28 13:24:07,851:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f93a52faf40>
Prep: True
2023-07-28 13:24:07,852:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f93a52faf40> and installer <certbot_nginx._
internal.configurator.NginxConfigurator object at 0x7f93a52faf40>
2023-07-28 13:24:07,852:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2023-07-28 13:24:07,880:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, onl
y_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1168463257', new_authzr_uri=None, terms_of_service=None), 4fbc88a307d4c1d95eaa2d13072e2be3, M
eta(creation_dt=datetime.datetime(2023, 6, 22, 5, 38, 10, tzinfo=<UTC>), creation_host='gislbs-desktop', register_to_eff='cityandinfo.slide@gmail.com'))>
2023-07-28 13:24:07,881:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-07-28 13:24:07,882:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-07-28 13:24:08,430:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 752
2023-07-28 13:24:08,430:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 28 Jul 2023 04:24:08 GMT
Content-Type: application/json
Content-Length: 752
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "dtdpkdqQd_8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-07-28 13:24:09,634:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for api.skie.fun and www.api.skie.fun
2023-07-28 13:24:09,638:DEBUG:acme.client:Requesting fresh nonce
2023-07-28 13:24:09,638:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2023-07-28 13:24:09,821:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-07-28 13:24:09,821:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 28 Jul 2023 04:24:09 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: C400INKTcz5YIQmKF8qZlWlaCovou4swXjI5JCUWhPUCb4A
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-07-28 13:24:09,821:DEBUG:acme.client:Storing nonce: C400INKTcz5YIQmKF8qZlWlaCovou4swXjI5JCUWhPUCb4A
2023-07-28 13:24:09,821:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "api.skie.fun"\n    },\n    {\n      "type": "dns",\n      "value": "www.api.skie.fun"\n    }\n  ]\n}'
2023-07-28 13:24:09,823:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE2ODQ2MzI1NyIsICJub25jZSI6ICJDNDAwSU5LVGN6NVlJUW1LRjhxWmxXbGFDb3ZvdTRzd1hqSTVKQ1VXaFBVQ2I0QSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "wJZCq3-O0OFsZNKzg1Azxs1kpMTPSKfiIWe9JbggYoJmnMqUyauSo3JRF4QmkftBQxlK5DLYfT5htVbaUV_gV-gxT5tjH1M6BkJ3v822A8RoUo-qjXilMzak3wyY2Mnv_Ww2u2_V2tyMjRFOs4Ua1MwybPXTI_YsrTmwpTPerv91gfKAZ--3Dz33fp0GMUWFYDpyAJlMVl0LNJF9jRCpkc-nHlZSUDphtfFUC-wC9d1PTYvWu236LWYHvxZ3e02JTewwU-4R_WgG18ywG322uHghH6SbEkCS7DWw6fuu2jYPis9bWj0MCXHjZ2B39eWkpzoxgqxhax_Pa1XKgcV0Xg",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImFwaS5za2llLmZ1biIKICAgIH0sCiAgICB7CiAgICAgICJ0eXBlIjogImRucyIsCiAgICAgICJ2YWx1ZSI6ICJ3d3cuYXBpLnNraWUuZnVuIgogICAgfQogIF0KfQ"
}
2023-07-28 13:24:10,027:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 477
2023-07-28 13:24:10,027:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Fri, 28 Jul 2023 04:24:09 GMT
Content-Type: application/json
Content-Length: 477
Connection: keep-alive
Boulder-Requester: 1168463257
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1168463257/197788302286
Replay-Nonce: F70E9Iir20M5K-ijeOlGY16TUXJKV5fX1LiVOynUhwKk3XQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-08-04T04:24:09Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "api.skie.fun"
    },
    {
      "type": "dns",
      "value": "www.api.skie.fun"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/249652234476",
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/249652234486"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1168463257/197788302286"
}
2023-07-28 13:24:10,028:DEBUG:acme.client:Storing nonce: F70E9Iir20M5K-ijeOlGY16TUXJKV5fX1LiVOynUhwKk3XQ
2023-07-28 13:24:10,028:DEBUG:acme.client:JWS payload:
b''
2023-07-28 13:24:10,028:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/249652234476:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE2ODQ2MzI1NyIsICJub25jZSI6ICJGNzBFOUlpcjIwTTVLLWlqZU9sR1kxNlRVWEpLVjVmWDFMaVZPeW5VaHdLazNYUSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjQ5NjUyMjM0NDc2In0",
  "signature": "NO4h9xUERY4aXdIXvad4V_CLdsdm21ce-PVsdFnVI_vdPztVdI6ckSpgC4lefPz3V95j5VTJ3swWXFoG4Dg_fU_9yBOFNMawmr4gAqv0G5EqVK-zAZthDNZXzmvVWNPxsJAOT6XMA6_rZshY2xMCmZFu7duI5UyTlvNQ9_B7UfuOwDR6g8GZzC0Ahg7gbeVpfbn1NBaXY-M4ih-peFyj_QkVwasDCx70cYtHab0WuTmk3aHyPYHP61w9AOM-ExvaHlCDzG7XKPA4lFVUic6b5g5HZqdY_5s3ASMlACKUhAC8VX_MokFvbCgWZpBURNmvyyziWAXZdX2Tkg5MMWYgFA",
  "payload": ""
}
2023-07-28 13:24:10,217:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/249652234476 HTTP/1.1" 200 796
2023-07-28 13:24:10,218:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 28 Jul 2023 04:24:10 GMT
Content-Type: application/json
Content-Length: 796
Connection: keep-alive
Boulder-Requester: 1168463257
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: C400YFKL8LXTvkKmD-4608RJ7P5r3sC-qNO9UUhCQGgu-_E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "api.skie.fun"
  },
  "status": "pending",
  "expires": "2023-08-04T04:24:09Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234476/PMGaCw",
      "token": "-0KI7puEoBk7ZCCrncxEPZ6dnmTYVYab_MT8pMOJz3Q"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234476/IePfxA",
      "token": "-0KI7puEoBk7ZCCrncxEPZ6dnmTYVYab_MT8pMOJz3Q"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234476/pT8xrA",
      "token": "-0KI7puEoBk7ZCCrncxEPZ6dnmTYVYab_MT8pMOJz3Q"
    }
  ]
}
2023-07-28 13:24:10,218:DEBUG:acme.client:Storing nonce: C400YFKL8LXTvkKmD-4608RJ7P5r3sC-qNO9UUhCQGgu-_E
2023-07-28 13:24:10,218:DEBUG:acme.client:JWS payload:
b''
2023-07-28 13:24:10,219:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/249652234486:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE2ODQ2MzI1NyIsICJub25jZSI6ICJDNDAwWUZLTDhMWFR2a0ttRC00NjA4Uko3UDVyM3NDLXFOTzlVVWhDUUdndS1fRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjQ5NjUyMjM0NDg2In0",
  "signature": "keXIrQ82zBjqmCPLklTq2rOIt6Ovgp2MUWT3XzZFsECx9DYPjjmdYSdvlQWl3jgfvQepcsNt4TDqdiKW1lIZ_0JAZxATd6RXAFzT-80F60ZbG2EP8IExByf1IfVrY9t0-UY80-FYg7jWNfJlyemx9vQxi7CT8D6eTGz_713qYpWmxqRFKXmCUft9YfKFIfF-FYtPUfI_mjyWW0x-kV5H5In3ymIRvUO7pWFfbZOA8pAsghxpkQP8Zqe8_F2QWkt2XZUnGsrWpKNI1kASI3ovKWnHoeurRiKmZ5qdqnqv5w2q6JTl4YBla8BQKtNuU6z9n6lFWuBVfCnmQ5BVtE3L8g",
  "payload": ""
}
2023-07-28 13:24:10,404:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/249652234486 HTTP/1.1" 200 800
2023-07-28 13:24:10,405:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 28 Jul 2023 04:24:10 GMT
Content-Type: application/json
Content-Length: 800
Connection: keep-alive
Boulder-Requester: 1168463257
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: F70EV-N4ggdmcoxM77opUHOPNoTaO8Uuln0exhH7ta4HGTo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.api.skie.fun"
  },
  "status": "pending",
  "expires": "2023-08-04T04:24:09Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234486/2bpNWw",
      "token": "vdJmNOIltRcC3oThZzSl4T4_aGNoDtHSKQKTrWt6KK4"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234486/9Lr79A",
      "token": "vdJmNOIltRcC3oThZzSl4T4_aGNoDtHSKQKTrWt6KK4"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234486/XAB_PQ",
      "token": "vdJmNOIltRcC3oThZzSl4T4_aGNoDtHSKQKTrWt6KK4"
    }
  ]
}
2023-07-28 13:24:10,405:DEBUG:acme.client:Storing nonce: F70EV-N4ggdmcoxM77opUHOPNoTaO8Uuln0exhH7ta4HGTo
2023-07-28 13:24:10,405:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-07-28 13:24:10,405:INFO:certbot._internal.auth_handler:http-01 challenge for api.skie.fun
2023-07-28 13:24:10,405:INFO:certbot._internal.auth_handler:http-01 challenge for www.api.skie.fun
2023-07-28 13:24:10,410:DEBUG:certbot_nginx._internal.http_01:Generated server block:
[]
2023-07-28 13:24:10,411:DEBUG:certbot.reverter:Creating backup of /etc/nginx/sites-enabled/flaskProject
2023-07-28 13:24:10,411:DEBUG:certbot.reverter:Creating backup of /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf
2023-07-28 13:24:10,411:DEBUG:certbot.reverter:Creating backup of /etc/nginx/modules-enabled/50-mod-http-geoip2.conf
2023-07-28 13:24:10,411:DEBUG:certbot.reverter:Creating backup of /etc/nginx/modules-enabled/50-mod-mail.conf
2023-07-28 13:24:10,411:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2023-07-28 13:24:10,411:DEBUG:certbot.reverter:Creating backup of /etc/nginx/modules-enabled/50-mod-stream.conf
2023-07-28 13:24:10,411:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2023-07-28 13:24:10,411:DEBUG:certbot.reverter:Creating backup of /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf
2023-07-28 13:24:10,411:DEBUG:certbot.reverter:Creating backup of /etc/nginx/modules-enabled/50-mod-http-image-filter.conf
2023-07-28 13:24:10,412:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
load_module modules/ngx_http_headers_more_filter_module.so;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
server_names_hash_bucket_size 128;
include /etc/letsencrypt/le_http_01_cert_challenge.conf;

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        server_tokens off;
        more_set_headers 'Server: ';

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

2023-07-28 13:24:10,412:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/flaskProject:
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot

rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


    listen 80;
    server_name api.skie.fun www.api.skie.fun;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/html;
        allow all;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/skie/PycharmProjects/flaskProject/flaskProject.sock;
        add_header Content-Security-Policy "default-src 'none'; script-src 'none'; object-src 'self'; frame-ancestors 'self';";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
location = /.well-known/acme-challenge/-0KI7puEoBk7ZCCrncxEPZ6dnmTYVYab_MT8pMOJz3Q{default_type text/plain;return 200 -0KI7puEoBk7ZCCrncxEPZ6dnmTYVYab_MT8pMOJz3Q.V3qSzmsyEAd0jtBHPujvw6p8462eppm-6weXN2L
Er3A;} # managed by Certbot

location = /.well-known/acme-challenge/vdJmNOIltRcC3oThZzSl4T4_aGNoDtHSKQKTrWt6KK4{default_type text/plain;return 200 vdJmNOIltRcC3oThZzSl4T4_aGNoDtHSKQKTrWt6KK4.V3qSzmsyEAd0jtBHPujvw6p8462eppm-6weXN2L
Er3A;} # managed by Certbot

}

2023-07-28 13:24:11,421:DEBUG:acme.client:JWS payload:
b'{}'
2023-07-28 13:24:11,426:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234476/PMGaCw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE2ODQ2MzI1NyIsICJub25jZSI6ICJGNzBFVi1ONGdnZG1jb3hNNzdvcFVIT1BOb1RhTzhVdWxuMGV4aEg3dGE0S
EdUbyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMjQ5NjUyMjM0NDc2L1BNR2FDdyJ9",
  "signature": "nVjtvikYmmHh6UaTRsADqohgC0_7QQZf2Pzs9gXpGkmvwDuaTDguhgd5tbNQ46mSVBjaodPGkU3orLwCGmwg3_m5S71PcW1jkcZWcuyKZ4-QQ_bK4kwRG0hdOLXelLpWMtLrAcHNoHaNn6IQnVeViCeun2baL-dv0c9zFok71U8uZbXpLvO2X5wQS
1IjzetByqYd5krY9LfoWinIQTIurn9QocWTDQNv7z86dAJk35NrBhcqnlRWu4AQkq6vu-TfTahGZ5Kv1NcuaEWHcHZjKpZ86-uo6G4EiZfA3wYzU1c_0XKFnt9LmkJh_eba8Zj2QUDJeUHnbk0N-mqUM27z4Q",
  "payload": "e30"
}
2023-07-28 13:24:11,628:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/249652234476/PMGaCw HTTP/1.1" 200 187
2023-07-28 13:24:11,629:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 28 Jul 2023 04:24:11 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 1168463257
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/249652234476>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234476/PMGaCw
Replay-Nonce: C4001FNwn8RbsaKu7N45MGAfKLGFeS2FmpRlgVMPeTlm1k4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234476/PMGaCw",
  "token": "-0KI7puEoBk7ZCCrncxEPZ6dnmTYVYab_MT8pMOJz3Q"
}
2023-07-28 13:24:11,630:DEBUG:acme.client:Storing nonce: C4001FNwn8RbsaKu7N45MGAfKLGFeS2FmpRlgVMPeTlm1k4
2023-07-28 13:24:11,631:DEBUG:acme.client:JWS payload:
b'{}'
2023-07-28 13:24:11,635:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234486/2bpNWw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE2ODQ2MzI1NyIsICJub25jZSI6ICJDNDAwMUZOd244UmJzYUt1N040NU1HQWZLTEdGZVMyRm1wUmxnVk1QZVRsbTFrNCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMjQ5NjUyMjM0NDg2LzJicE5XdyJ9",
  "signature": "UsClIZP92ugVtSjiD5NV50crkzqu2tGMLS9zcYsiYsK0eqH9ReYSgGFhpijhYnh3JBF4ktX7hoR7KILT9HD2oe-XR9Orz50Bl_TSe-UDiYBVx0Il3xY9FWiuvgBA-DRqU640L79z5H-gbi9JYQzscA6fvdn7Ro3DcAz-xWNgDUlbW8VwqhRwKkNUZcvMds66jHgjbWQtpaKN3kMpDkaZY7Lk9cEsUlp8X7-GpTCyo29pkfzLbAj3RDdIfQCPsKVGy6_GJuTHgrm8O8UjFWJ7gaBn35DHgKqoc8CY-lkhl3qlrlAtIQilLuCZPB0d-dG_D1nv0ub30iJ_tkKqoppixg",
  "payload": "e30"
}
2023-07-28 13:24:11,836:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/249652234486/2bpNWw HTTP/1.1" 200 187
2023-07-28 13:24:11,837:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 1168463257
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/249652234486>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234486/2bpNWw
Replay-Nonce: F70E-7DQFuq3Lr6iQxDzt7V7TRsvaJ0LxpqGwCdXRBjmHd0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234486/2bpNWw",
  "token": "vdJmNOIltRcC3oThZzSl4T4_aGNoDtHSKQKTrWt6KK4"
}
2023-07-28 13:24:11,837:DEBUG:acme.client:Storing nonce: F70E-7DQFuq3Lr6iQxDzt7V7TRsvaJ0LxpqGwCdXRBjmHd0
2023-07-28 13:24:11,838:INFO:certbot._internal.auth_handler:Waiting for verification...
2023-07-28 13:24:12,839:DEBUG:acme.client:JWS payload:
b''
2023-07-28 13:24:12,840:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/249652234476:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE2ODQ2MzI1NyIsICJub25jZSI6ICJGNzBFLTdEUUZ1cTNMcjZpUXhEenQ3VjdUUnN2YUowTHhwcUd3Q2RYUkJqbUhkMCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjQ5NjUyMjM0NDc2In0",
  "signature": "iqLuj6FKTb7P_c9y0EMMVLTWyFSBRrtltWNw-3DV3fNGEpBTiBWkQ_HAQ4UsUGWedbqXLFoz8HISZf6Re1lCFmbJSQ2jfsxaKexPFMpxWK05LnTK6R4OhwdS8BS1FMRCZG_mSb0Stt-e6kJ9mPYFPELkeZL86CgM6TUmLVqSnNMQE2y8SVj0uceNcYvACbwHQmkBs46NqJfkIW2zUJhymUilkH-VbN69fOfEEV8XZK3735TrpDnVBh5wBmnYk_RK8y7hnBnat1NIhm_6Lu-VJat6-QRG79HZ8yEgNtLz9H3lMNXV1B07R263ssudmVdCO7c7L4I0mZOZ2NGGXIATLQ",
  "payload": ""
}
2023-07-28 13:24:13,024:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/249652234476 HTTP/1.1" 200 1342
2023-07-28 13:24:13,025:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 28 Jul 2023 04:24:12 GMT
Content-Type: application/json
Content-Length: 1342
Connection: keep-alive
Boulder-Requester: 1168463257
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: C4004Wj6GVBpiL_v-BHKCV6kTlv4yWXWUWuIuLfvuSZB3IE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "api.skie.fun"
  },
  "status": "invalid",
  "expires": "2023-08-04T04:24:09Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "147.46.35.182: Fetching http://api.skie.fun/.well-known/acme-challenge/-0KI7puEoBk7ZCCrncxEPZ6dnmTYVYab_MT8pMOJz3Q: Redirect loop detected",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234476/PMGaCw",
      "token": "-0KI7puEoBk7ZCCrncxEPZ6dnmTYVYab_MT8pMOJz3Q",
      "validationRecord": [
        {
          "url": "http://api.skie.fun/.well-known/acme-challenge/-0KI7puEoBk7ZCCrncxEPZ6dnmTYVYab_MT8pMOJz3Q",
          "hostname": "api.skie.fun",
          "port": "80",
          "addressesResolved": [
            "147.46.35.182"
          ],
          "addressUsed": "147.46.35.182"
        },
        {
          "url": "http://api.skie.fun/004048710519/.well-known/acme-challenge/-0KI7puEoBk7ZCCrncxEPZ6dnmTYVYab_MT8pMOJz3Q",
          "hostname": "api.skie.fun",
          "port": "80",
          "addressesResolved": [
            "147.46.35.182"
          ],
          "addressUsed": "147.46.35.182"
        }
      ],
      "validated": "2023-07-28T04:24:11Z"
    }
  ]
}
2023-07-28 13:24:13,026:DEBUG:acme.client:Storing nonce: C4004Wj6GVBpiL_v-BHKCV6kTlv4yWXWUWuIuLfvuSZB3IE
2023-07-28 13:24:13,027:DEBUG:acme.client:JWS payload:
b''
2023-07-28 13:24:13,030:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/249652234486:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE2ODQ2MzI1NyIsICJub25jZSI6ICJDNDAwNFdqNkdWQnBpTF92LUJIS0NWNmtUbHY0eVdYV1VXdUl1TGZ2dVNaQjNJRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjQ5NjUyMjM0NDg2In0",
  "signature": "IvCT71xqfqAOEdngReyVJyK7OF6FGntqne4HfiG9RD7iolbz0atGd6qJD6a3EO_zg3dSph9k5N8dum5Ct-5CclAO9x0k6VEMCO_ZY0TzFZcPBn6ETUW7Mc4YzfRJZl6CMvpbuuBTYniGXZGmFQugRHoBoMzOWI1vKg0NwWUEVkv7fJoJMYNYB3sj57f23RY04lbPSDpUXTPmJbgKI3U8rO-XZ5GtgZnTqS44Sak2h1JEpaJzv63Z9NlR9my55smr_j-amBuRstBXpoZ-Im_kjWwR7MP4rrDYg9D-gPtmQm9wHNIj0GSIaZSxnlVDqh4SqJCNsT97D5d4CopYhAVQdA",
  "payload": ""
}
2023-07-28 13:24:13,217:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/249652234486 HTTP/1.1" 200 1366
2023-07-28 13:24:13,217:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 28 Jul 2023 04:24:13 GMT
Content-Type: application/json
Content-Length: 1366
Connection: keep-alive
Boulder-Requester: 1168463257
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: C400AlGu-RDQqhxJ9lzATel2Lt8lX_i9GmdYWLdPtheFwXU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.api.skie.fun"
  },
  "status": "invalid",
  "expires": "2023-08-04T04:24:09Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "147.46.35.182: Fetching http://www.api.skie.fun/.well-known/acme-challenge/vdJmNOIltRcC3oThZzSl4T4_aGNoDtHSKQKTrWt6KK4: Redirect loop detected",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/249652234486/2bpNWw",
      "token": "vdJmNOIltRcC3oThZzSl4T4_aGNoDtHSKQKTrWt6KK4",
      "validationRecord": [
        {
          "url": "http://www.api.skie.fun/.well-known/acme-challenge/vdJmNOIltRcC3oThZzSl4T4_aGNoDtHSKQKTrWt6KK4",
          "hostname": "www.api.skie.fun",
          "port": "80",
          "addressesResolved": [
            "147.46.35.182"
          ],
          "addressUsed": "147.46.35.182"
        },
        {
          "url": "http://www.api.skie.fun/004082264951/.well-known/acme-challenge/vdJmNOIltRcC3oThZzSl4T4_aGNoDtHSKQKTrWt6KK4",
          "hostname": "www.api.skie.fun",
          "port": "80",
          "addressesResolved": [
            "147.46.35.182"
          ],
          "addressUsed": "147.46.35.182"
        }
      ],
      "validated": "2023-07-28T04:24:11Z"
    }
  ]
}
2023-07-28 13:24:13,217:DEBUG:acme.client:Storing nonce: C400AlGu-RDQqhxJ9lzATel2Lt8lX_i9GmdYWLdPtheFwXU
2023-07-28 13:24:13,217:INFO:certbot._internal.auth_handler:Challenge failed for domain api.skie.fun
2023-07-28 13:24:13,217:INFO:certbot._internal.auth_handler:Challenge failed for domain www.api.skie.fun
2023-07-28 13:24:13,217:INFO:certbot._internal.auth_handler:http-01 challenge for api.skie.fun
2023-07-28 13:24:13,217:INFO:certbot._internal.auth_handler:http-01 challenge for www.api.skie.fun
2023-07-28 13:24:13,217:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: api.skie.fun
  Type:   connection
  Detail: 147.46.35.182: Fetching http://api.skie.fun/.well-known/acme-challenge/-0KI7puEoBk7ZCCrncxEPZ6dnmTYVYab_MT8pMOJz3Q: Redirect loop detected

  Domain: www.api.skie.fun
  Type:   connection
  Detail: 147.46.35.182: Fetching http://www.api.skie.fun/.well-known/acme-challenge/vdJmNOIltRcC3oThZzSl4T4_aGNoDtHSKQKTrWt6KK4: Redirect loop detected

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2023-07-28 13:24:13,218:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-07-28 13:24:13,218:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-07-28 13:24:13,218:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-07-28 13:24:14,267:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/3024/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/main.py", line 1447, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-07-28 13:24:14,268:ERROR:certbot._internal.log:Some challenges have failed.

nginx configuration

root@gislbs-desktop:/etc/nginx/conf.d# nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
load_module modules/ngx_http_headers_more_filter_module.so;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        server_tokens off;
        more_set_headers 'Server: ';

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/flaskProject:
server {
    listen 80;
    server_name api.skie.fun www.api.skie.fun;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/html;
        allow all;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/skie/PycharmProjects/flaskProject/flaskProject.sock;
        add_header Content-Security-Policy "default-src 'none'; script-src 'none'; object-src 'self'; frame-ancestors 'self';";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
    }

}

# configuration file /etc/nginx/proxy_params:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

versions

Ubuntu : 22.04.2 LTS
nginx : 1.18.0(Ubuntu)
Python : 3.7.16
Flask : 2.2.5

orangepizza · July 28, 2023, 5:05am

hmm from web browser I can't see the redirect loop: will have to test with spoofed UA

rg305 · July 28, 2023, 5:19am

Hi @GAIS, and welcome to the LE community forum

Let's have a look at the whole nginx config, with:
nginx -T

GAIS · July 28, 2023, 5:24am

Thanks to reply @rg305. I modified the text as you requested.

GAIS · July 28, 2023, 5:31am

Thanks to reply @orangepizza. How to test with spoofed UA?

rg305 · July 28, 2023, 5:46am

Is nginx running now?
[I'm unable to connect to it]

GAIS · July 28, 2023, 6:03am

Yes, nginx is working fine. What domain are you connecting from? My domain is api.skie.fun.

root@gislbs-desktop:/etc/nginx/conf.d# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2023-07-28 13:24:05 KST; 1h 24min ago
       Docs: man:nginx(8)
    Process: 399352 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 399353 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 399354 (nginx)
      Tasks: 9 (limit: 76967)
     Memory: 8.2M
        CPU: 60ms
     CGroup: /system.slice/nginx.service
             ├─399354 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
             ├─399451 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ├─399452 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ├─399453 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ├─399454 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ├─399455 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ├─399456 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ├─399457 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             └─399458 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""

 7월 28 13:24:05 gislbs-desktop systemd[1]: Starting A high performance web server and a reverse proxy server...
 7월 28 13:24:05 gislbs-desktop systemd[1]: Started A high performance web server and a reverse proxy server.

MikeMcQ · July 28, 2023, 1:37pm

The problem is because of something on your system doing an odd redirect. Your system starts with a redirect to a new location and when following that it redirects back to the original. This is where Let's Encrypt fails because it looks like a loop. It isn't because your system processes the second request of the original, but, Let's Encrypt is preventing itself from falling into a loop.

I'm not sure what is doing this redirect or why it is needed. The 11-digit number changes depending on the requestor (maybe its IP?). And, while you will get 200 OK results after this first numeric redirect if you wait a number of minutes (maybe 10?) you will again see the numeric redirect for a fresh request.

You can check this yourself using https://letsdebug.net The first time I ran it I got the redirect failure. But, retrying right away I got All OK result. If you wait long enough you will again see the redirect failure

curl -i -m7 http://api.skie.fun
HTTP/1.0 302 Found
Location: http://api.skie.fun/00913182028/

curl -i -m7 http://api.skie.fun/00913182028/
HTTP/1.0 302 Found
Location: http://api.skie.fun/

curl -i -m7 http://api.skie.fun/
HTTP/1.1 200 OK
Date: Fri, 28 Jul 2023 13:25:21 GMT(
(other headers omitted, data follows)
<h1 style='color:blue'>Hello, This is Flask Back-End!</h1>[

rg305 · July 28, 2023, 2:33pm

? ? ?

Yes, we can see that from your first post.

This is what tcpdump sees, while doing: curl -Ii --connect-timeout 10 --keepalive-time 1 api.skie.fun
[using: tcpdump -vvvnnni any -c 9 host 147.46.35.182 &]

14:27:17.775424 eth0  Out IP (tos 0x0, ttl 64, id 32087, offset 0, flags [DF], proto TCP (6), length 60)
    [MY.IP].42404 > 147.46.35.182.80: Flags [S], cksum 0xc2de (incorrect -> 0xb736), seq 2514203745, win 64240, options [mss 1460,sackOK,TS val 2554612403 ecr 0,nop,wscale 6], length 0
14:27:17.776401 eth0  In  IP (tos 0x0, ttl 63, id 36062, offset 0, flags [DF], proto TCP (6), length 60)
    147.46.35.182.80 > [MY.IP].42404: Flags [S.], cksum 0x4105 (correct), seq 1641407956, ack 2514203746, win 14480, options [mss 1460,sackOK,TS val 306830988 ecr 2554612403,nop,wscale 7], length 0
14:27:17.776432 eth0  Out IP (tos 0x0, ttl 64, id 32088, offset 0, flags [DF], proto TCP (6), length 52)
    [MY.IP].42404 > 147.46.35.182.80: Flags [.], cksum 0xc2d6 (incorrect -> 0xa474), seq 1, ack 1, win 1004, options [nop,nop,TS val 2554612404 ecr 306830988], length 0
14:27:17.776497 eth0  Out IP (tos 0x0, ttl 64, id 32089, offset 0, flags [DF], proto TCP (6), length 129)
    [MY.IP].42404 > 147.46.35.182.80: Flags [P.], cksum 0xc323 (incorrect -> 0x11d4), seq 1:78, ack 1, win 1004, options [nop,nop,TS val 2554612404 ecr 306830988], length 77: HTTP, length: 77
        HEAD / HTTP/1.1
        Host: api.skie.fun
        User-Agent: curl/7.81.0
        Accept: */*

14:27:17.777195 eth0  In  IP (tos 0x0, ttl 63, id 15193, offset 0, flags [DF], proto TCP (6), length 52)
    147.46.35.182.80 > [MY.IP].42404: Flags [.], cksum 0xa7a1 (correct), seq 1, ack 78, win 114, options [nop,nop,TS val 306830988 ecr 2554612404], length 0
14:27:18.779264 eth0  Out IP (tos 0x0, ttl 64, id 32090, offset 0, flags [DF], proto TCP (6), length 52)
    [MY.IP].42404 > 147.46.35.182.80: Flags [.], cksum 0xc2d6 (incorrect -> 0xa03e), seq 77, ack 1, win 1004, options [nop,nop,TS val 2554613406 ecr 306830988], length 0
14:27:18.779697 eth0  In  IP (tos 0x0, ttl 63, id 15194, offset 0, flags [DF], proto TCP (6), length 52)
    147.46.35.182.80 > [MY.IP].42404: Flags [.], cksum 0xa73c (correct), seq 1, ack 78, win 114, options [nop,nop,TS val 306831089 ecr 2554612404], length 0
14:27:19.803215 eth0  Out IP (tos 0x0, ttl 64, id 32091, offset 0, flags [DF], proto TCP (6), length 52)
    [MY.IP].42404 > 147.46.35.182.80: Flags [.], cksum 0xc2d6 (incorrect -> 0x9bd9), seq 77, ack 1, win 1004, options [nop,nop,TS val 2554614430 ecr 306831089], length 0
14:27:19.803531 eth0  In  IP (tos 0x0, ttl 63, id 15195, offset 0, flags [DF], proto TCP (6), length 52)
    147.46.35.182.80 > [MY.IP].42404: Flags [.], cksum 0xa6d6 (correct), seq 1, ack 78, win 114, options [nop,nop,TS val 306831191 ecr 2554612404], length 0
9 packets captured
11 packets received by filter
0 packets dropped by kernel

If I just do "curl api.skie.fun", I get nothing/empty.
When I do "curl -I api.skie.fun", it just hangs there and I have to "^C" break out of curl.
Even using curl with --connect-timeout 10 doesn't time out ... it just hangs there.

I don't know what IPS/firewalling is being done...
But it seems very non-standard.

MikeMcQ · July 28, 2023, 2:56pm

If you do curl -i I think you'll find you get a 302 redirect

Same for me. Their server does not support HEAD requests. Let's Encrypt servers do not use HEAD so this is at their discretion.

If the api in their domain name means API then I can see why a HEAD would not be needed.

They should reply 405 or something to a HEAD but ...

GAIS · July 31, 2023, 7:01am

Thanks for the answer @MikeMcQ. it was the problem that I was being redirected to a strange place as you said. I had the server on my school's network and the school's information center had a rule that redirected me when I accessed it via http. I contacted the information center about this and they made an exception for me, so now I don't get the error and I successfully got an SSL certificate through Let's Encrypt. Thanks for pinpointing the problem!

system · August 30, 2023, 7:02am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.