SSL by Let'sEncrypt not working on mail -> still selfsigned

Hi, I am getting this error when issuing SSL to my mail subdomain.

[08.04.2022_17-14-26] Status Code: Unkown for: http://www.mail.tenerhack.men/.well-known/acme-challenge/mail.tenerhack.men. Error: Exceeded 30 redirects.
[08.04.2022_17-14-26] Status Code: Unkown for: http://mail.tenerhack.men/.well-known/acme-challenge/mail.tenerhack.men. Error: Exceeded 30 redirects.
[08.04.2022_17-14-28] /root/.acme.sh/acme.sh --issue -d mail.tenerhack.men -d www.mail.tenerhack.men --cert-file /etc/letsencrypt/live/mail.tenerhack.men/cert.pem --key-file /etc/letsencrypt/live/mail.tenerhack.men/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.tenerhack.men/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt
[08.04.2022_17-14-28] Failed to obtain SSL for: mail.tenerhack.men and: www.mail.tenerhack.men
[08.04.2022_17-14-28] /root/.acme.sh/acme.sh --issue -d mail.tenerhack.men --cert-file /etc/letsencrypt/live/mail.tenerhack.men/cert.pem --key-file /etc/letsencrypt/live/mail.tenerhack.men/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.tenerhack.men/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt
[08.04.2022_17-14-28] Failed to obtain SSL, issuing self-signed SSL for: mail.tenerhack.men
[08.04.2022_17-14-28] {'email@mail.tenerhack.men': (554, b'5.7.1 <email@mail.tenerhack.men>: Relay access denied')}
[08.04.2022_17-14-28] Websites matching query does not exist. [installSSLForDomain:72]
[08.04.2022_17-14-28] Self signed SSL issued for mail.tenerhack.men.

My DNS records are setup like this:
Nameservers in namecheap → forwarded to hetzner DNS:

Screenshot 2022-08-02 at 15-25-14 Domain896×189 4.49 KB

DNS records in Hetzner DNS

Screenshot 2022-08-02 at 15-26-07 DNS Console - Hetzner Online GmbH1066×924 40.4 KB

Am I missing something?

Thank you!

why would we care about dns records?

Anyway just put a file inside of /usr/local/lsws/Example/html/.well-known/acme-challenge

Any file, then try to access it with http://mail.tenerhack.men/.well-known/acme-challenge/myfilehere

If you can access it, over HTTP, then come back here. If you can’t, well fix that. Honestly it’s all in the log, it’s not even a difficult issue.

because other users were suspecting it might be might DNS records setup incorrectly.

I cannot access my file via HTTP, getting 404 “The page isn’t redirecting properly”
What could be the issue there?

in the vhost.conf of that domain, there should be something that looks like

context /.well-known/acme-challenge {
  location                /usr/local/lsws/Example/html/.well-known/acme-challenge
}

Make sure it’s there, or add it. Also, remove those 404 directive, the infinite redirection is embarrassing. You can send the vhost file.

yeah, not sure why that 404 directive happens, everything should be stock…

I added the context into the vhost config file of that domain. It was not there, but did not solve the issue.

docRoot                   /home/tenerhack.men/mail.tenerhack.men
vhDomain                  $VH_NAME
vhAliases                 www.$VH_NAME
adminEmails               tenerhack@gmail.com
enableGzip                1
enableIpGeo               1

index  {
  useServer               0
  indexFiles              index.php, index.html
}

errorlog $VH_ROOT/logs/tenerhack.men.error_log {
  useServer               0
  logLevel                WARN
  rollingSize             10M
}

accesslog $VH_ROOT/logs/tenerhack.men.access_log {
  useServer               0
  logFormat               "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i""
  logHeaders              5
  rollingSize             10M
  keepDays                10  
  compressArchive         1
}

phpIniOverride  {

}

module cache {
 storagePath $VH_ROOT/lscache
}

errorpage 403 {
  url                     403.html
}

errorpage 404 {
  url                     404.html
}

errorpage 500 {
  url                     500.html
}

scripthandler  {
  add                     lsapi:tener15585960 php
}

extprocessor tener15585960 {
  type                    lsapi
  address                 UDS://tmp/lshttpd/tener15585960.sock
  maxConns                10
  env                     LSAPI_CHILDREN=10
  initTimeout             60
  retryTimeout            0
  persistConn             1
  pcKeepAliveTimeout      1
  respBuffer              0
  autoStart               1
  path                    /usr/local/lsws/lsphp73/bin/lsphp
  extUser                 tener1558
  extGroup                tener1558
  memSoftLimit            2047M
  memHardLimit            2047M
  procSoftLimit           400
  procHardLimit           500
}

rewrite  {
  enable                  1
  autoLoadHtaccess        1
}

context /.well-known/acme-challenge {
  location                /usr/local/lsws/Example/html/.well-known/acme-challenge
}

vhssl  {
  keyFile                 /etc/letsencrypt/live/mail.tenerhack.men/privkey.pem
  certFile                /etc/letsencrypt/live/mail.tenerhack.men/fullchain.pem
  certChain               1
  sslProtocol             24
  enableECDHE             1
  renegProtection         1
  sslSessionCache         1
  enableSpdy              15
  enableStapling           1
  ocspRespMaxAge           86400
}

did you restart the server?

edit : just lsws not the full server

restarted it, tried requesting ssl for my mail and main domain now, neither of those working now
i was actually able to get letsencrypt for my main domain name at least, now the same error is showing up and I got a selfsigned cert there now too :(. I think my whole lsws installation is messed up somehow.

God, why I even try. Look, that’s not what I’m asking, ok, you know there’s a limit to how many certificate request you can do per day, per hour and all of that.

Ok? So just answer what I ask, just stop messing up files and listen for 5 seconds. Ok, what matters now is the very first error in the log

http://www.mail.tenerhack.men/.well-known/acme-challenge/mail.tenerhack.men. Error: Exceeded 30 redirects.

You need mail.tenerhack.men/.well-known/acme-challenge to point at a certificate challenge, nothing else matters, you’ll never get a certificate until you fix that.