Let‘s encrypt failing with ‚redirect loop detected‘

Discussion in 'Installation/Configuration' started by AphexTwin, Jan 20, 2022.

  1. AphexTwin

    AphexTwin New Member

    I‘m running the latest ISPConfig on an upgraded Debian 11, coming from Debian 6 or so.
    Initially I followed the Set-up guidelines for Debian and created my own self-signed certificates on my latest, longer running installation Debian 8, for pretty much everything, including a separately installed OpenVPN server with a couple of mobile clients.
    Given recent browser and OS (mobile) updates making the use of self-certified certificates pretty hard, I wanted to move to Let‘s Encrypt for ISPC Panel, Websites, Mail and FTP server.
    I run a box with all services running on a single machine. DNS is provided by my hoster from which I rented a full access, dedicated server. The hostname is pre-set by the hoster and the DNS entries for the host are managed by them, besides that, everything is open for configuration by myself.
    I ran the update with —force and configured all services (except DNS) newly and let the script create new certs. However the SSL certificates for the webserver are not getting created due to a ‚redirect loop detected‘ error, which I can see in the letsencrypt log.

    I tried to delete existing certs in acme.sh folder, played around with the DNS configuration on my hosters config page, changes the vhost entries in ISPC Panel, but nothing seems to work.

    If you have any further ideas how to at least narrow down the issue, please let me know which information I should provide - and how to post log information on this forum.

    Thanks in advance,
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. AphexTwin

    AphexTwin New Member

    Thank you for the fast response! Unfortunately it didn‘t help.
    I can reach the ISPC Panel using IP or hostname under port 8080 with https, so I guess getting a cert is not the problem.
    In addition I can reach the websites using domain.tld and www.domain.tld, so that is fine as well. However, in the log I still see the ‚redirect loop‘ problem.
    [Thu 20 Jan 2022 03:06:08 AM CET] Pending, The CA is processing your order, please just wait. (1/30)
    [Thu 20 Jan 2022 03:06:08 AM CET] sleep 2 secs to verify again
    [Thu 20 Jan 2022 03:06:10 AM CET] checking
    [Thu 20 Jan 2022 03:06:10 AM CET] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/70009903130/l3pZ2w'
    [Thu 20 Jan 2022 03:06:10 AM CET] payload
    [Thu 20 Jan 2022 03:06:10 AM CET] POST
    [Thu 20 Jan 2022 03:06:10 AM CET] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/70009903130/l3pZ2w'
    [Thu 20 Jan 2022 03:06:10 AM CET] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L '
    [Thu 20 Jan 2022 03:06:11 AM CET] _ret='0'
    [Thu 20 Jan 2022 03:06:11 AM CET] code='200'
    [Thu 20 Jan 2022 03:06:11 AM CET] domain.tld:Verify error:Fetching eu?ref=domain.tld: Redirect loop detected
    [Thu 20 Jan 2022 03:06:11 AM CET] pid
    [Thu 20 Jan 2022 03:06:11 AM CET] No need to restore nginx, skip.
    [Thu 20 Jan 2022 03:06:11 AM CET] _clearupdns
    [Thu 20 Jan 2022 03:06:11 AM CET] dns_entries
    [Thu 20 Jan 2022 03:06:11 AM CET] skip dns.
    [Thu 20 Jan 2022 03:06:11 AM CET] _on_issue_err
    [Thu 20 Jan 2022 03:06:11 AM CET] Please check log file for more details: /var/log/ispconfig/acme.log​
    In addition I see postfix and dovecot having problems with ssl as well:
    Jan 20 02:42:09 85-31-186-17 dovecot: lmtp(1427671): Error: SSL context initialization failed, disabling SSL: Can't load DH parameters (ssl_dh setting): error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small
    Postfix writes a warning to the syslog that /var/spool/postfix/etc/ssl/certs/ca-certificates.cert and /etc/ssl/certs/ca-certificates.cert differ
    Let me know, in case you need more output.

    Thanks, again. Highly appreciated!

  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Unless you assign mail LE certs manually, postfix and dovecot LE certs should use the same as the server itself. I think the error shows that you should check if you have proper dhparams file for them at /etc/dovecot/dh.pem. By default ISPConfig did create that file in 2048 bit. Try force update ISPConfig and see if that could solve your problem related to them.

    I am not sure about your loop problem though.
  5. AphexTwin

    AphexTwin New Member

    I had manually assigned self-certified certs in the past. Now I just ran a forced update and let ISPC do everything, including creating the symlinks for postfix and pureFTP, not sure, if dovecot just picks up the postfix ones in the process.

    If ISPC did create it with 2048 during the forced update, what would be the expected standard bit length for dovecot? I did not change anything - might have in the past.

    Thanks for your help.
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Yes normally it should work but do check if the ISPConfig install logs say otherwise like failing to create it etc or test your server after you finished running the update.
    AphexTwin likes this.
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Do you have a custom ispconfig vhost or nginx config? Those must be maintained with changes from the upstream templates, including the statement for how to handle acme-challenge requests. A redirect loop can happen when the acme-challenge doesn't get handled correctly.
  8. AphexTwin

    AphexTwin New Member

    I checked the ispconfig_install.log and it shows no obvious unregularities. Everythings seems to get properly ‚executed‘ and ‚configured‘. Which term should I grep for to detect deviations?
  9. AphexTwin

    AphexTwin New Member

    No, my set-up of the webservers was only done using the ISPC Console and I added no values here.
  10. AphexTwin

    AphexTwin New Member

    The parm file turns out to be empty? Zero bitlength. Might it be worthwile to reinstall postfix and dovecot to force „proper“ creation of those files or would it break ISPConfig?
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    No need to reinstall postfix or dovecot, just create a new dhparam file. e.g.:

    openssl dhparam -out /path/to/dhparam.file 2048

    just replace /path/to/dhparam.file with the correct path to the file.
    ahrasis likes this.
  12. I also use nginx, and to make sure I don't need to update things in two places, my /etc/dovecot/dh.pem is actually just a symbolic link to /etc/nginx/cert/dhparam.pem

    That way, if one of them gets updated, so does the other...
    ahrasis likes this.
  13. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That is good. On how to test your ISPConfig server, I just follow the Please read before posting instructions mostly; https://www.howtoforge.com/community/threads/please-read-before-posting.58408/

    Mine is 4096 bit only at /etc/ssl/private/ where it is used via symbolic link for all services that need it like postfix, dovecot, pure-ftpd, nginx, etc, but I never update it so far.

    There may be a warning for using symbolic link but I think that is nothing to be worried about.
    Gwyneth Llewelyn likes this.

Share This Page