I have verified & generated for this domain in the past, but I am failing to see what is going wrong here. Any help or pointers would be much appreciated.
I ran this command: le64 -email "[redacted]@redxcreatives.com" -key account.key -csr domain.csr -csr-key domain.key -crt domain.crt -domains "www.natureworksindia.com" -generate-missing -live
It produced this output:
Domain verification results for 'www.natureworksindia.com': error. 184.168.96.176: Fetching /.well-known/acme-challenge/Rl1r-MsnmBjSqS8Osfwpg7PExPH1JrzwH5caDdyAuk4: Redirect loop detected 2022/07/07 14:50:51 You can now delete the 'Rl1r-MsnmBjSqS8Osfwpg7PExPH1JrzwH5caDdyAuk4' file. 2022/07/07 14:50:51 All verifications failed
My web server is (include version): Apache
The operating system my web server runs on is (include version): Linux Hosting, I can get further details if required.
My hosting provider, if applicable, is: GoDaddy
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Cpanel
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Crypt::LE client v0.38 started
I get inconsistent results trying that URL. I sometimes get redirected back to itself like your error message shows. Yet, other times I get a 200 OK. Do you have a load balancer or maybe a firewall that is sometimes blocking attempts?
Below is a series of requests I just made. I am not sure it always happens but it seems like if I do not try for several minutes the first attempt gets a 302 Redirect to itself. But, if I make the requests frequently they respond with 200 OK.
curl -I http://www.natureworksindia.com/.well-known/acme-challenge/Rl1r-MsnmBjSqS8Osfwpg7PExPH1JrzwH5caDdyAuk4
HTTP/1.1 200 OK
Date: Thu, 07 Jul 2022 16:29:43 GMT
Server: Apache
curl -I http://www.natureworksindia.com/.well-known/acme-challenge/Rl1r-MsnmBjSqS8Osfwpg7PExPH1JrzwH5caDdyAuk4
(Note there is no Server header so maybe not Apache doing this?)
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /.well-known/acme-challenge/Rl1r-MsnmBjSqS8Osfwpg7PExPH1JrzwH5caDdyAuk4
curl -I http://www.natureworksindia.com/.well-known/acme-challenge/Rl1r-MsnmBjSqS8Osfwpg7PExPH1JrzwH5caDdyAuk4
HTTP/1.1 200 OK
Date: Thu, 07 Jul 2022 16:33:16 GMT
Server: Apache
I realize now how my initial data can be confusing,
I am generating these certs for multiple websites located on different servers / different configs.
So I generate them on my local machine which is windows, and then upload them to the servers, this is the only one out of the many giving me an issue and it is an unix / apache one.
I do realize that there would be ways to automate or do it with other methods that bypasses this verification, but for now I am trying to figure out this particular issue.
Internet IP of Windows Local machine - With all due respect I fail to see how it is relevant, I have done the generation for the last 2 years from multiple geographic locations on residential lines which means the IP has been dynamic as it is now. If you still think its relevant, I will share it.
I still see the same problem I described in post #2
More details. My first request gets a 302 redirect but any request within 1 minute of that gets a 200 OK. If I wait 2 minutes after the previous 200 OK (no matter how many I try) I will again get a 302 redirect.
You should be able to reproduce this from your Windows machine
Your LE64 cert request also might work if you try two of them one right after the other. The second request should get the 200 OK responses.
It looks like some sort of network appliance or firewall that does the redirect because of the format of the response. There are few response headers (and no Server header) and no page content (normally a small "moved" page from Apache). Why anything would do a 302 like this is a mystery. I don't see any value for doing that redirect.
NOTE to other volunteers: Any test request must be the same length as an actual acme challenge. Shorter test URLs get a 404 Not Found so they likely have some Apache VirtualHost filtering out such test requests - which is not unusual.
Puzzling indeed! And, yet, they know the name of a challenge file that exists on that server.
I'd been assuming they were using some sort of hook or manual intervention to push the challenge file to the remote server but maybe not best assumption. I don't know LE64 so was just addressing the specific redirect error. I just read some docs on LE64 and the -delayed option looks necessary for manual intervention and I don't see that used here. The mystery deepens.
You just made me realize my idea of running LE64 twice might not work. Each run has a new challenge file so I don't know if the weird 302 redirect resets for each unique file name.
There is definitely a really big piece of the puzzle that has yet to be detailed.
I wouldn't be surprised to hear something like: "Oh, did I fail to mention that I use a VPN to connect with that network and then map the drive..."
OR something simpler, like: "I do have FTP access to the destination system and that is how the challenge file is being handled."
It is weird, I have double checked on everything from caching plugins, CDN etc, I have determined it is a server wide issue because the other domains on the same hosting are also having the same issue. I am going to try and reach out to the hosting provider - GoDaddy & see if they have an answer, though I feel they will simply just say its a third party thing and shrug it off.
I cannot do 2 requests quickly because as you rightly pointed out in a later reply that every cert generation request has a different challenge file name + inner text, so its 2 different requests.
I guess I will have to go with the DNS based verification.
Immense thanks for the follow up & your precious time.
I fear that perhaps I am using LE as very much a newcomer / server software illiterate would use it.
My simple need is to generate & upload certs for my clients websites, for the simple reason that https is preferred on the marketing side.
Since the sites / domains are hosted at different hostings / different servers, & me being lazy to perhaps learn this properly or automate it on the server side. My modus operandi has been to run the commands on my windows machine, which then displays the challenge file name & its expected content;
At the same time I have the Cpanel open for the site that I want to renew for, I just create the file in the right location using File Manager with the right content string & file name. Then I allow the challenge request to happen and it gets validated. The certs are generated on my machine, so I can upload them using the SSL option on Cpanel & move on.
Through Mikes generous help, I have determined it isn't as much a LE issue as much as how GoDaddy seems to be handling requests for resources like this. I will try and update here if I find a proper cause or solution. Thanks.
