Self-Signed Email SSL Certificates & Redirect Loops?

Support and Discussion General Discussion
,
1

Hi everyone,

I’ve been trying to issue an mail server SSL certificate using CyberPanel on a VPS but kept only receiving self-signed certificates, and after some investigation I originally thought maybe I configured the DNS/RDNS records incorrectly, but the specific error I’ve been getting when the acme.sh script runs is that of a redirect loop:

[root@sanctus ~]# /root/.acme.sh/acme.sh --issue -d mail.sanctus.ca -d www.mail.sanctus.ca --cert-file /etc/letsencrypt/live/mail.sanctus.ca/cert.pem --key-file /etc/letsencrypt/live/mail.sanctus.ca/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.sanctus.ca/fullchain.pem -w /home/mail.sanctus.ca/public_html -k ec-256 --force --server letsencrypt
[Wed Dec 15 04:43:21 UTC 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed Dec 15 04:43:21 UTC 2021] Multi domain='DNS:mail.sanctus.ca,DNS:www.mail.sanctus.ca'
[Wed Dec 15 04:43:21 UTC 2021] Getting domain auth token for each domain
[Wed Dec 15 04:43:22 UTC 2021] Getting webroot for domain='mail.sanctus.ca'
[Wed Dec 15 04:43:22 UTC 2021] Getting webroot for domain='www.mail.sanctus.ca'
[Wed Dec 15 04:43:22 UTC 2021] Verifying: mail.sanctus.ca
[Wed Dec 15 04:43:23 UTC 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Wed Dec 15 04:43:25 UTC 2021] mail.sanctus.ca:Verify error:Fetching 404.html: Redirect loop detected
[Wed Dec 15 04:43:25 UTC 2021] Please add '--debug' or '--log' to check more details.
[Wed Dec 15 04:43:25 UTC 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

I ran the command with the --debug flag to see what was happening, and if I didn’t know any better it seems like Let’s Encrypt is fetching the cached website that I used to host on the sanctus.ca domain before I migrated to a new server infrastructure - hence why the link it tries to check fetches a 404.html page.

But I’m really confused here because I used whatsmydns.net to check the domain name and everything including the mail server records are pointed to the new server IP.

Is the case here that I just have to wait for Let’s Encrypt to update their DNS caches for the SSL certificate to be issued properly? Or have I made some other mistake I’m not aware of? I only have a very broad and surface understanding of SSL certificate issuance so I don’t really know what’s causing this error.

Here’s a snippet of the debug output that shows the API attempting to fetch the right link only to be redirected to the 404 error page on what should be the old server:

...
[Wed Dec 15 19:40:28 UTC 2021] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/58827470860/5-dcJA'
[Wed Dec 15 19:40:28 UTC 2021] _currentRoot='/home/mail.sanctus.ca/public_html'
[Wed Dec 15 19:40:28 UTC 2021] wellknown_path='/home/mail.sanctus.ca/public_html/.well-known/acme-challenge'
[Wed Dec 15 19:40:28 UTC 2021] writing token:feFrqt0YB9wpbEtEa-lv6q_RHeoeYMIwqKK2Yx3Ora0 to /home/mail.sanctus.ca/public_html/.well-known/acme-challenge/feFrqt0YB9wpbEtEa-lv6q_RHeoeYMIwqKK2Yx3Ora0
[Wed Dec 15 19:40:28 UTC 2021] Changing owner/group of .well-known to root:root
[Wed Dec 15 19:40:28 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/58827470860/5-dcJA'
[Wed Dec 15 19:40:28 UTC 2021] payload='{}'
[Wed Dec 15 19:40:28 UTC 2021] Retrying post
[Wed Dec 15 19:40:28 UTC 2021] POST
[Wed Dec 15 19:40:28 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/58827470860/5-dcJA'
[Wed Dec 15 19:40:28 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed Dec 15 19:40:29 UTC 2021] _ret='0'
[Wed Dec 15 19:40:29 UTC 2021] _hcode='0'
[Wed Dec 15 19:40:29 UTC 2021] code='200'
[Wed Dec 15 19:40:29 UTC 2021] trigger validation code: 200
[Wed Dec 15 19:40:29 UTC 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Wed Dec 15 19:40:29 UTC 2021] sleep 2 secs to verify again
[Wed Dec 15 19:40:31 UTC 2021] checking
[Wed Dec 15 19:40:31 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/58827470860/5-dcJA'
[Wed Dec 15 19:40:31 UTC 2021] payload
[Wed Dec 15 19:40:31 UTC 2021] Retrying post
[Wed Dec 15 19:40:31 UTC 2021] POST
[Wed Dec 15 19:40:31 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/58827470860/5-dcJA'
[Wed Dec 15 19:40:31 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed Dec 15 19:40:31 UTC 2021] _ret='0'
[Wed Dec 15 19:40:31 UTC 2021] _hcode='0'
[Wed Dec 15 19:40:31 UTC 2021] code='200'
[Wed Dec 15 19:40:31 UTC 2021] mail.sanctus.ca:Verify error:Fetching 404.html: Redirect loop detected
[Wed Dec 15 19:40:31 UTC 2021] Debug: get token url.
[Wed Dec 15 19:40:31 UTC 2021] Retrying GET
[Wed Dec 15 19:40:31 UTC 2021] GET
[Wed Dec 15 19:40:31 UTC 2021] url='http://mail.sanctus.ca/.well-known/acme-challenge/feFrqt0YB9wpbEtEa-lv6q_RHeoeYMIwqKK2Yx3Ora0'
[Wed Dec 15 19:40:31 UTC 2021] timeout=1
[Wed Dec 15 19:40:31 UTC 2021] displayError='1'
[Wed Dec 15 19:40:31 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  --connect-timeout 1'
<!doctype html>
<html lang="en-CA" prefix="og: https://ogp.me/ns#">
<head>
        <meta charset="UTF-8">
                <meta name="viewport" content="width=device-width, initial-scale=1">
        <link rel="profile" href="http://gmpg.org/xfn/11">
        <script type="text/javascript" >                function apbct_attach_event_handler__backend(elem, event, callback){                    if(typeof window.addEventListener === "function") elem.addEventListener(event, callback);                    else                                              elem.attachEvent(event, callback);                }                apbct_attach_event_handler__backend(window, 'load', function(){                    if (typeof ctSetCookie === "function")                        ctSetCookie('ct_checkjs', '0bd898f834d392acd821e7d257bab77576c8456e9000e39933484b1810530c2e' );                    else                         console.log('APBCT ERROR: apbct-public--functions is not loaded.');                });    </script>
<!-- Search Engine Optimization by Rank Math - https://s.rankmath.com/home -->
<title>Page not found - SANCTVS</title>
...

Any help would be appreciated! I don’t understand for the life of me how Let’s Encrypt seems to be able to access the site on my old server if the DNS records are pointing to the new one, and I assumed that somehow they must be getting the wrong DNS data.

I’m administering a couple of other servers on new websites which are also hosted on top of CyberPanel and didn’t have this problem on those servers, so… that’s my best guess as to what’s going on.

Thanks for reading and thanks in advance for any help.

2

Hello,

Please let us know when was the last change you did to the DNS for this domain? Usually DNS change takes longer period (depends on the domain provider or DNS provider). It may not be fully propagated across the world.

Please check here, I found different IP in different regions. It means that your DNS is not fully propagated yet. You need to wait until its propagated across the world with your new changes.

3

Hello!

Thank you so much - yes you are right, I tried issuing this in under 24 hours from changing the DNS; I will wait another 48 hours and see if that fixes the problem.

Thank you again!

4

Just an update,

I must have configured something wrong on my end but I wasn’t able to figure out what it was; I tried reissuing the certificate and it gave me the same error, but this time it didn’t seem like it was fetching data from the old server.

In any case, I went ahead and reinstalled everything on the new server and now everything is working perfectly. I’m sure I must have just configured some setting wrong the first time.

Thank you again for your help!!

1 Like
5

Glad its all solved now.

1 Like