Hi everyone,
I’ve been trying to issue an mail server SSL certificate using CyberPanel on a VPS but kept only receiving self-signed certificates, and after some investigation I originally thought maybe I configured the DNS/RDNS records incorrectly, but the specific error I’ve been getting when the acme.sh script runs is that of a redirect loop:
[root@sanctus ~]# /root/.acme.sh/acme.sh --issue -d mail.sanctus.ca -d www.mail.sanctus.ca --cert-file /etc/letsencrypt/live/mail.sanctus.ca/cert.pem --key-file /etc/letsencrypt/live/mail.sanctus.ca/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.sanctus.ca/fullchain.pem -w /home/mail.sanctus.ca/public_html -k ec-256 --force --server letsencrypt
[Wed Dec 15 04:43:21 UTC 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed Dec 15 04:43:21 UTC 2021] Multi domain='DNS:mail.sanctus.ca,DNS:www.mail.sanctus.ca'
[Wed Dec 15 04:43:21 UTC 2021] Getting domain auth token for each domain
[Wed Dec 15 04:43:22 UTC 2021] Getting webroot for domain='mail.sanctus.ca'
[Wed Dec 15 04:43:22 UTC 2021] Getting webroot for domain='www.mail.sanctus.ca'
[Wed Dec 15 04:43:22 UTC 2021] Verifying: mail.sanctus.ca
[Wed Dec 15 04:43:23 UTC 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Wed Dec 15 04:43:25 UTC 2021] mail.sanctus.ca:Verify error:Fetching 404.html: Redirect loop detected
[Wed Dec 15 04:43:25 UTC 2021] Please add '--debug' or '--log' to check more details.
[Wed Dec 15 04:43:25 UTC 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
I ran the command with the --debug flag to see what was happening, and if I didn’t know any better it seems like Let’s Encrypt is fetching the cached website that I used to host on the sanctus.ca domain before I migrated to a new server infrastructure - hence why the link it tries to check fetches a 404.html page.
But I’m really confused here because I used whatsmydns.net to check the domain name and everything including the mail server records are pointed to the new server IP.
Is the case here that I just have to wait for Let’s Encrypt to update their DNS caches for the SSL certificate to be issued properly? Or have I made some other mistake I’m not aware of? I only have a very broad and surface understanding of SSL certificate issuance so I don’t really know what’s causing this error.
Here’s a snippet of the debug output that shows the API attempting to fetch the right link only to be redirected to the 404 error page on what should be the old server:
...
[Wed Dec 15 19:40:28 UTC 2021] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/58827470860/5-dcJA'
[Wed Dec 15 19:40:28 UTC 2021] _currentRoot='/home/mail.sanctus.ca/public_html'
[Wed Dec 15 19:40:28 UTC 2021] wellknown_path='/home/mail.sanctus.ca/public_html/.well-known/acme-challenge'
[Wed Dec 15 19:40:28 UTC 2021] writing token:feFrqt0YB9wpbEtEa-lv6q_RHeoeYMIwqKK2Yx3Ora0 to /home/mail.sanctus.ca/public_html/.well-known/acme-challenge/feFrqt0YB9wpbEtEa-lv6q_RHeoeYMIwqKK2Yx3Ora0
[Wed Dec 15 19:40:28 UTC 2021] Changing owner/group of .well-known to root:root
[Wed Dec 15 19:40:28 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/58827470860/5-dcJA'
[Wed Dec 15 19:40:28 UTC 2021] payload='{}'
[Wed Dec 15 19:40:28 UTC 2021] Retrying post
[Wed Dec 15 19:40:28 UTC 2021] POST
[Wed Dec 15 19:40:28 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/58827470860/5-dcJA'
[Wed Dec 15 19:40:28 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
[Wed Dec 15 19:40:29 UTC 2021] _ret='0'
[Wed Dec 15 19:40:29 UTC 2021] _hcode='0'
[Wed Dec 15 19:40:29 UTC 2021] code='200'
[Wed Dec 15 19:40:29 UTC 2021] trigger validation code: 200
[Wed Dec 15 19:40:29 UTC 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Wed Dec 15 19:40:29 UTC 2021] sleep 2 secs to verify again
[Wed Dec 15 19:40:31 UTC 2021] checking
[Wed Dec 15 19:40:31 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/58827470860/5-dcJA'
[Wed Dec 15 19:40:31 UTC 2021] payload
[Wed Dec 15 19:40:31 UTC 2021] Retrying post
[Wed Dec 15 19:40:31 UTC 2021] POST
[Wed Dec 15 19:40:31 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/58827470860/5-dcJA'
[Wed Dec 15 19:40:31 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
[Wed Dec 15 19:40:31 UTC 2021] _ret='0'
[Wed Dec 15 19:40:31 UTC 2021] _hcode='0'
[Wed Dec 15 19:40:31 UTC 2021] code='200'
[Wed Dec 15 19:40:31 UTC 2021] mail.sanctus.ca:Verify error:Fetching 404.html: Redirect loop detected
[Wed Dec 15 19:40:31 UTC 2021] Debug: get token url.
[Wed Dec 15 19:40:31 UTC 2021] Retrying GET
[Wed Dec 15 19:40:31 UTC 2021] GET
[Wed Dec 15 19:40:31 UTC 2021] url='http://mail.sanctus.ca/.well-known/acme-challenge/feFrqt0YB9wpbEtEa-lv6q_RHeoeYMIwqKK2Yx3Ora0'
[Wed Dec 15 19:40:31 UTC 2021] timeout=1
[Wed Dec 15 19:40:31 UTC 2021] displayError='1'
[Wed Dec 15 19:40:31 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g --connect-timeout 1'
<!doctype html>
<html lang="en-CA" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="profile" href="http://gmpg.org/xfn/11">
<script type="text/javascript" > function apbct_attach_event_handler__backend(elem, event, callback){ if(typeof window.addEventListener === "function") elem.addEventListener(event, callback); else elem.attachEvent(event, callback); } apbct_attach_event_handler__backend(window, 'load', function(){ if (typeof ctSetCookie === "function") ctSetCookie('ct_checkjs', '0bd898f834d392acd821e7d257bab77576c8456e9000e39933484b1810530c2e' ); else console.log('APBCT ERROR: apbct-public--functions is not loaded.'); }); </script>
<!-- Search Engine Optimization by Rank Math - https://s.rankmath.com/home -->
<title>Page not found - SANCTVS</title>
...
Any help would be appreciated! I don’t understand for the life of me how Let’s Encrypt seems to be able to access the site on my old server if the DNS records are pointing to the new one, and I assumed that somehow they must be getting the wrong DNS data.
I’m administering a couple of other servers on new websites which are also hosted on top of CyberPanel and didn’t have this problem on those servers, so… that’s my best guess as to what’s going on.
Thanks for reading and thanks in advance for any help.