starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-14 07:33:34 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Getting ERROR: Challenge is invalid (returned: invalid) : Redirect loop detected #521

New Issue
Closed
opened 2025-12-29 01:26:43 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:26:43 +01:00
Owner
Copy Link

Originally created by @sglessard on GitHub (Mar 4, 2021).

Hello,

I have 8 domains to secure, this was working great for 3 years under acme-v01. I've updated from acme-v01 to acme-v02 and now I get error in the challenge process: Redirect loop detected. It does not break at the same domain, seems random (sometime it's the first one, see log snippet, sometime it's the 3rd, etc.). Is it about my web servers?

When I request URIs prefixed by /.well-known/acme-challenge with curl or wget, I dont see any redirection : it serves a 200 or 404, depending if the file exists or not. There is no http => https redirection. In fact, I can see LE requests in my access logs (200/success) :

66.133.109.36 - - [04/Mar/2021:10:50:05 -0500] "GET /.well-known/acme-challenge/xug085yTPYQlru9nWMymN_jpfLj7PC8n9qWiQ-XXXXX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" PID=124287 T=8858 XF=[66.133.109.36] H=10.0.16.3
52.28.236.88 - - [04/Mar/2021:10:50:05 -0500] "GET /.well-known/acme-challenge/xug085yTPYQlru9nWMymN_jpfLj7PC8n9qWiQ-XXXXX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" PID=14646 T=2605 XF=[52.28.236.88] H=10.0.16.3

dehydrated log (domains/IP/token anonymized):

jeu mar  4 10:49:45 EST 2021
[...]
Processing [domain] with alternative names: [list of domains]
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Apr  5 15:38:22 2021 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 8 authorizations URLs from the CA
 + Handling authorization for domain1
 + Handling authorization for domain2
 + Handling authorization for domain3
 + Handling authorization for domain4
 + Handling authorization for domain5
 + Handling authorization for domain6
 + Handling authorization for domain7
 + Handling authorization for domain8
 + 8 pending challenge(s)
 + Deploying challenge tokens...
Calling deploy_challenge() hook for domain1
Calling deploy_challenge() hook for domain2
Calling deploy_challenge() hook for domain3
Copy challenge token on domaine3 via scp...
Calling deploy_challenge() hook for domain4
Calling deploy_challenge() hook for domain5
Calling deploy_challenge() hook for domain6
Calling deploy_challenge() hook for domain7
Calling deploy_challenge() hook for domain8
 + Responding to challenge for domain1 authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "During secondary validation: Fetching /.well-known/acme-challenge/xug085yTPYQlru9nWMymN_jpfLj7PC8n9qWiQ-XXXXX: Redirect loop detected",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/113085970000/XXXXXX",
  "token": "xug085yTPYQlru9nWMymN_jpfLj7PC8n9qWiQ-XXXXX",
  "validationRecord": [
    {
      "url": "domaine1/.well-known/acme-challenge/xug085yTPYQlru9nWMymN_jpfLj7PC8n9qWiQ-XXXXX",
      "hostname": "domaine1",
      "port": "80",
      "addressesResolved": [
        "x.x.x.x"
      ],
      "addressUsed": "x.x.x.x"
    }
  ]
})

Using dehydrated v0.6.5
Any help to understand what is going on is very welcome.
Thanks

Originally created by @sglessard on GitHub (Mar 4, 2021). Hello, I have 8 domains to secure, this was working great for 3 years under acme-v01. I've updated from acme-v01 to acme-v02 and now I get error in the challenge process: _Redirect loop detected_. It does not break at the same domain, seems random (sometime it's the first one, see log snippet, sometime it's the 3rd, etc.). Is it about my web servers? When I request URIs prefixed by /.well-known/acme-challenge with _curl_ or _wget_, I dont see any redirection : it serves a 200 or 404, depending if the file exists or not. There is no http => https redirection. In fact, I can see LE requests in my access logs (200/success) : ``` 66.133.109.36 - - [04/Mar/2021:10:50:05 -0500] "GET /.well-known/acme-challenge/xug085yTPYQlru9nWMymN_jpfLj7PC8n9qWiQ-XXXXX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" PID=124287 T=8858 XF=[66.133.109.36] H=10.0.16.3 52.28.236.88 - - [04/Mar/2021:10:50:05 -0500] "GET /.well-known/acme-challenge/xug085yTPYQlru9nWMymN_jpfLj7PC8n9qWiQ-XXXXX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" PID=14646 T=2605 XF=[52.28.236.88] H=10.0.16.3 ``` dehydrated log (domains/IP/token anonymized): ``` jeu mar 4 10:49:45 EST 2021 [...] Processing [domain] with alternative names: [list of domains] + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Apr 5 15:38:22 2021 GMT (Longer than 30 days). Ignoring because renew was forced! + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 8 authorizations URLs from the CA + Handling authorization for domain1 + Handling authorization for domain2 + Handling authorization for domain3 + Handling authorization for domain4 + Handling authorization for domain5 + Handling authorization for domain6 + Handling authorization for domain7 + Handling authorization for domain8 + 8 pending challenge(s) + Deploying challenge tokens... Calling deploy_challenge() hook for domain1 Calling deploy_challenge() hook for domain2 Calling deploy_challenge() hook for domain3 Copy challenge token on domaine3 via scp... Calling deploy_challenge() hook for domain4 Calling deploy_challenge() hook for domain5 Calling deploy_challenge() hook for domain6 Calling deploy_challenge() hook for domain7 Calling deploy_challenge() hook for domain8 + Responding to challenge for domain1 authorization... + Cleaning challenge tokens... + Challenge validation has failed :( ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "During secondary validation: Fetching /.well-known/acme-challenge/xug085yTPYQlru9nWMymN_jpfLj7PC8n9qWiQ-XXXXX: Redirect loop detected", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/113085970000/XXXXXX", "token": "xug085yTPYQlru9nWMymN_jpfLj7PC8n9qWiQ-XXXXX", "validationRecord": [ { "url": "domaine1/.well-known/acme-challenge/xug085yTPYQlru9nWMymN_jpfLj7PC8n9qWiQ-XXXXX", "hostname": "domaine1", "port": "80", "addressesResolved": [ "x.x.x.x" ], "addressUsed": "x.x.x.x" } ] }) ``` Using dehydrated v0.6.5 Any help to understand what is going on is very welcome. Thanks
adam closed this issue 2025-12-29 01:26:43 +01:00
adam commented 2025-12-29 01:26:43 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Mar 5, 2021):

This can't be a dehydrated issue as dehydrated itself has no control over this, so I'm closing this issue.

I'm not sure what's going on here. From your logs it seems like you have some proxy setup going on, are you sure that all requests are going to the correct backend? Maybe you have a configuration issue with that? Otherwise I'd suggest running tcpdump on affected hosts port 80 while doing the renewal to catch the request and figure out what's going on. Maybe your 200 returns for whatever reason still have a Location header that might confuse the validation logic?

@lukas2511 commented on GitHub (Mar 5, 2021): This can't be a dehydrated issue as dehydrated itself has no control over this, so I'm closing this issue. I'm not sure what's going on here. From your logs it seems like you have some proxy setup going on, are you sure that all requests are going to the correct backend? Maybe you have a configuration issue with that? Otherwise I'd suggest running tcpdump on affected hosts port 80 while doing the renewal to catch the request and figure out what's going on. Maybe your 200 returns for whatever reason still have a Location header that might confuse the validation logic?
adam commented 2025-12-29 01:26:44 +01:00
Author
Owner
Copy Link

@sglessard commented on GitHub (Mar 5, 2021):

Thanks, i'll focus on our network then.
All the best

@sglessard commented on GitHub (Mar 5, 2021): Thanks, i'll focus on our network then. All the best
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#521
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?