Forum OpenACS Q&A: New Cert The page isn't redirection properly

1: New Cert The page isn't redirection properly

Posted by Tyge Cawthon on 06/11/25 10:43 PM

OS: ArchLinux
OpenACS 5.10.1
URL: Celtic-Arts.org

Background: System ran properly from March 10, 2025 until June 9, 2025. The SSL certificate expired on June 9 2025

June 11 2025 Update SSL certificate only.
Now no one can access the website.

Error from FireFox browser" "The page isn't redirected properly. Firefox has deleted that the server is redirecting the request for this address in a way that will never complete. The problem can sometimes be caused by disabling or refusing to accept cookies."

Note: I have never implemented cookies in OpenACS.
Using Celtic-Arts.org takes you to Celtic-Arts.org/register.

Last time this happened I had to reinstall OpenACS.
Unable to connect using a loop back as well.
Short of a reinstall, does anyone of any suggestions?

2: Re: New Cert The page isn't redirection properly (response to 1)

Posted by Gustaf Neumann on 06/14/25 02:42 PM

if you have only replaced the certificate, i would recommend to look at the differences between your old and new certificate. The interesting things are especially your old and new CN and the old and new SANs (X509v3 Subject Alternative Name).

You can see the content in human readable form via:

openssl x509 -in FULLY_QUALIFIED_CERTIFICATE_FILE.pem -text -noout

3: Re: New Cert The page isn't redirection properly (response to 1)

Posted by Tyge Cawthon on 06/16/25 03:04 AM

Thank you for your response.
When we compared both .prm files:
CN hostname are the same.

March certificate came from E5
June certificate came from E6

We noticed that the OCSP is not in the June certificate.
Information found about OCSP (x509)
May 7, 2025 OCSP will no longer be issued from cerbot (letsencrypt)
August 6 OCSP stapling will be completely disable

Unless we can think of anything else, a fresh install might be the best option.

Please let me know your thoughts and thanks again. I know you have more important things to do.

4: Re: New Cert The page isn't redirection properly (response to 1)

Posted by Tyge Cawthon on 06/16/25 03:16 AM

Found this is the Error file:
[15/Jun/2025:21:08:16][42922.7570408806c0][-driver:https:0-] Warning: cert_status: cannot obtain URL for Authority Information Access (AIA), maybe self-signed?
[15/Jun/2025:21:08:16][42922.7570408806c0][-driver:https:0-] Notice: cert_status: OCSP cannot validate the certificate.

5: Re: New Cert The page isn't redirection properly (response to 1)

Posted by Gustaf Neumann on 06/16/25 03:19 PM

That is interesting - and an issue, that might affect soon many people. You get hit, probably, since you got a new certificate via certbot. Letsencrypt has a stepwise phasing out of OCSP, and the situation is different, how and when exactly you obtain the certificate. The message "cannot obtain URL for Authority Information Access (AIA)," has to do with the exclusion of the URL in certificates issued after May 7, 2025:

https://letsencrypt.org/2024/12/05/ending-ocsp/

This is something, we have to address also for the forthcoming release of NaviServer 5.

The proper way to deactivate OCSPstapling is to deactivate it in the configuration file:

 ns_section ns/module/https {
   ...
   ns_param OCSPstapling   off        ;# off; activate OCSP stapling
   # ns_param OCSPstaplingVerbose  on ;# off; make OCSP stapling more verbose
   # ns_param OCSPcheckInterval 15m   ;# default 5m; OCSP (re)check intervale
}

all the best
-g

6: Re: New Cert The page isn't redirection properly (response to 1)

Posted by Tyge Cawthon on 06/16/25 08:13 PM

ns_param OCSPstapling   off  ;# off; activate OCSP stapling

did not solve the problem.

Looking at the logs I found this statement

"Warning: ignore untrusted host header field: 'www.celtic-arts.org'. Consider adding this value to 'whitelistedHosts' in the section 'ns/server/$server/acs' of your configuration file."

I found the /ns/server/$server/acs section but could not find "whitelistedHosts" so I added

ns_param whitelistedHosts {www.celtic-arts.org }

this cleaned up the above warning

However, before and after all the changes above these notices appeared repeatably many times:

[-conn:oacs-5-10-0:default:1:1-] Notice: security::validated_host_header: found celtic-arts.org in global virtual server configuration for https
[-conn:oacs-5-10-0:default:1:1-] Notice: rp_filter: aborted url register ''

Browser error

"The page isn’t redirecting properly
An error occurred during a connection to celtic-arts.org.
This problem can sometimes be caused by disabling or refusing to accept cookies."

Part of the error.log file to see if this can maybe help trouble shoot.

[-driver:https:0-] Notice: starting
[-driver:https:0-] Notice: https:0: listening on [192.168.4.214]:443
[-driver:https:0-] Notice: driver: accepting connections
[-writer1-] Notice: writer1: accepting connections
[-writer0-] Notice: writer0: accepting connections
[-driver:http:0-] Notice: starting
[-driver:http:0-] Notice: http:0: listening on [192.168.4.214]:80
[-driver:http:0-] Notice: driver: accepting connections
[-writer0-] Notice: writer0: accepting connections
[-driver:nssmtpd:0-] Notice: starting
[-driver:nssmtpd:0-] Notice: nssmtpd:0: listening on [127.0.0.1]:2525
[-driver:nssmtpd:0-] Notice: driver: accepting connections
[-main:oacs-5-10-0-] Notice: nsmain: NaviServer/4.99.31 (tar-4.99.31) running
[-main:oacs-5-10-0-] Notice: nsmain: security info: uid=1001, euid=1001, gid=1002, egid=1002
[-main:oacs-5-10-0-] Notice: smtpd::init: Relay Domains: localhost
[-main:oacs-5-10-0-] Notice: smtpd::init: Local Domains: 127.0.0.1/255.255.255.255 ::1/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
[-sched-] Notice: sched: starting
[-writer1-] Notice: writer1: accepting connections
[-conn:oacs-5-10-0:default:0:0-] Notice: start update interpreter oacs-5-10-0 to epoch 1, concurrent 2
[-conn:oacs-5-10-0:default:1:0-] Notice: start update interpreter oacs-5-10-0 to epoch 1, concurrent 2
[-conn:oacs-5-10-0:default:1:0-] Notice: update interpreter oacs-5-10-0 to epoch 1 done, trace none, time 0.216280 secs concurrent 2
[-conn:oacs-5-10-0:default:1:0-] Notice: thread initialized (0.226145 secs)
[-conn:oacs-5-10-0:default:0:0-] Notice: update interpreter oacs-5-10-0 to epoch 1 done, trace none, time 0.223233 secs concurrent 1
[-conn:oacs-5-10-0:default:0:0-] Notice: thread initialized (0.231519 secs)
[-conn:oacs-5-10-0:default:0:0-] Notice: -- creating per thread sequence table
[-conn:oacs-5-10-0:default:0:0-] Notice: random: generating 1 seed
[-conn:oacs-5-10-0:default:0:0-] Notice: security::validated_host_header: found celtic-arts.org in global virtual server configuration for https
[-conn:oacs-5-10-0:default:0:0-] Notice: rp_filter: aborted url weblog ''
[-tclthread-] Notice: start update interpreter oacs-5-10-0 to epoch 1, concurrent 1
[-tclthread-] Notice: update interpreter oacs-5-10-0 to epoch 1 done, trace none, time 0.202655 secs concurrent 1
[-conn:oacs-5-10-0:default:0:0-] Notice: ::throttle ::xotcl::THREAD->do: --created new persistent ::xotcl::THREAD as tid0x75b92e7fc6c0 pid=51847 (0ms)
[::throttle] Notice: dbdrv: opening database 'postgres:localhost::dbname=oacs-5-10-0'
[::throttle] Notice: nsdbpg(pool1): opening connection to db dbname=oacs-5-10-0 on localhost, port 
[::throttle] Notice: nsdbpg(pool1): opened connection to localhost::dbname=oacs-5-10-0.
[::throttle] Notice: ... AsyncLogFile uses NaviServer ns_asynclogfile
[::throttle] Warning: cannot determine package key from script '': ad_proc -private ::unmap_pool {
:        {-pool slow}
:        {-ms}
:        method
:        url
:      } {
:        Function within throttle monitor thread for registering pool
:        unmapping requests after a specified time. This function has to run
:        in this thread to be able to use "::after".
:      } {
:        if {![info exists ms]} {
:          set ms [::map-slow-pool-duration]
:        }
:        after $ms [list ::xo::unmap_pool -pool $pool $method $url]
:        ns_log notice "slow request: mapping of '$url' moved to '$pool' connection pool will be canceled in $ms ms"
:      } 
:        
:    
[::throttle] Notice: +++ request-monitor: initialize counters
[-nsproxy:reap-] Notice: starting
[::throttle] Warning: ExecPool: getting handle took  12ms (potential configuration issue)
[::throttle] Notice: request-monitor: ignore reload of value 0 for counter user_count_day-non-auth
[-conn:oacs-5-10-0:default:1:1-] Notice: dbdrv: opening database 'postgres:localhost::dbname=oacs-5-10-0'
[-conn:oacs-5-10-0:default:1:1-] Notice: nsdbpg(pool1): opening connection to db dbname=oacs-5-10-0 on localhost, port 
[-conn:oacs-5-10-0:default:1:1-] Notice: nsdbpg(pool1): opened connection to localhost::dbname=oacs-5-10-0.
[-conn:oacs-5-10-0:default:1:1-] Notice: -- creating per thread sequence table
[-conn:oacs-5-10-0:default:1:1-] Notice: security::validated_host_header: found celtic-arts.org in global virtual server configuration for https
[-conn:oacs-5-10-0:default:1:1-] Notice: rp_filter: aborted url register ''

7: Re: New Cert The page isn't redirection properly (response to 6)

Posted by Gustaf Neumann on 06/17/25 11:53 AM

deactivating OCSP did not solve the problem.

I assume, this means that the OCSP errors are gone by now, but the redirecting issue is still there.

Concerning whitelisted host names. Since I assume, you have a single server instance running, all requests will be routed to the single server. btw, the standard way to define multiple domain names is to list these in the ".../servers" section of the driver module (see example in https://naviserver.sourceforge.io/5.0/manual/files/admin-config.html#subsection6). The white-listed hostnames are an OpenACS alternative for this, which might be necessary in containerized setups and older versions of NaviServer, which anyhow should work always.

I am still wondering about your setup, which I do not know: Is it the case that you have a single server configuration in your NaviServer configuration file, and you use for this server two domain names "celtic-arts.org" and "www.celtic-arts.org". And, you have OpenACS 5.10.1 installed, and no host-node maps etc. configured. Right?

Since you have a redirect loop, which seems to come from the /register call, the problem is in "ad_redirect_for_registration" or in "security::get_register_subsite". That hints, that you have probably subsites configured. I think to remember that also subsites might have different registration URLs and policies, maybe there is something wrong on your site.

But still, the mystery for me is, that you said that you have only updated the certificate. You did not answer to my earlier question about SANs in the old and new certificate.

8: Re: New Cert The page isn't redirection properly (response to 1)

Posted by Tyge Cawthon on 06/25/25 07:05 AM

my apologies for not getting back to you sooner.
We have had an emergency here and I had to take care of the emergency. The emergency is under control.

I briefly read your comments I will verify that information and report back to you.

9: Re: New Cert The page isn't redirection properly (response to 1)

Posted by Tyge Cawthon on 06/25/25 09:40 PM

Q: I assume, this means that the OCSP errors are gone by now, but the redirecting issue is still there.
A: Yes. OCSP errors are gone. Redirected issue is still there.

Q: Whitelisted
A: removed line. backed to original format before redirect issue.

Q: Is celtic-arts.org a single server?
A: Yes.

Config file:
hostname: celtic-arts.org
ns_param domains celtic-arts.org

OpenACS version: 5.10.1

host-node maps: No

Sub sites: yes
Number of sub sites: 3

Summary:
The config file as back to what it was prior to redirect issue with the exception of the OCSP statement.

SAN and Certificate
Old certificate:
[root@celtic-arts etc]# cat ssl_breakdown_march2025.txt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=US, O=Let's Encrypt, CN=E5
Validity
Not Before: Mar 12 22:54:48 2025 GMT
Not After : Jun 10 22:54:47 2025 GMT
Subject: CN=celtic-arts.org
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
Authority Information Access:
OCSP - URI:http://e5.o.lencr.org
CA Issuers - URI:http://e5.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:*.celtic-arts.org, DNS:celtic-arts.org
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://e5.c.lencr.org/97.crl

CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
Timestamp : Mar 12 23:53:18.709 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256

Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
Timestamp : Mar 12 23:53:18.705 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256

Signature Algorithm: ecdsa-with-SHA384
Signature Value:

New Certificate:
[root@celtic-arts etc]# cat ssl_breakdown_june2025.txt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=US, O=Let's Encrypt, CN=E6
Validity
Not Before: Jun 11 18:09:31 2025 GMT
Not After : Sep 9 18:09:30 2025 GMT
Subject: CN=celtic-arts.org
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:

ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:

X509v3 Authority Key Identifier:

Authority Information Access:
CA Issuers - URI:http://e6.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:*.celtic-arts.org, DNS:celtic-arts.org
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://e6.c.lencr.org/23.crl

CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
Timestamp : Jun 11 19:08:01.190 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256

Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
Timestamp : Jun 11 19:08:03.229 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256

Signature Algorithm: ecdsa-with-SHA384
Signature Value:

Let us know if you want us to do changes, reinstall or testing of other components.

10: Re: New Cert The page isn't redirection properly (response to 1)

Posted by Gustaf Neumann on 06/26/25 11:11 AM

I still do not see an issue. In your earlier messages, you mentioned the domain names "celtic-arts.org" and "www.celtic-arts.org", but you do not mention the latter one in your previous post, explaining the configuration.

The setup to handle multiple domain names on a single server should be something along these lines (maybe as well for the HTTP driver, i you want to allow it);

 ns_section ns/module/https {
        ns_param defaultserver $server
        ...
        ns_param hostname celtic-arts.org
        ...
 }
 ns_section ns/module/https/servers {
     ns_param $server celtic-arts.org
     ns_param $server www.celtic-arts.org
 }

If you are using the openacs-config.tcl file from the NaviServer 4.99.31 release, you can set the variable "hostname" to contain multiple space separated domain names (in your case: "celtic-arts.org www.celtic-arts.org". In this case, the names are automatically registered for the network drivers, and you do not need to touch the configuration as sketched above.

Do you see the redirection loop on the HTTPS or HTTPS URL, with the "www." prefix, or for all the four variants?

To understand the redirection loop, i would recommend the following steps:

go to a private window and try the URL. This request makes sure, nor prior setting (cookies, etc) are in use
if the problem persists, use Developer Tools → Network tab to watch the redirect pattern and to see the URLS involved in the loop.

Hope, this brings us further!

11: Re: New Cert The page isn't redirection properly (response to 1)

Posted by Tyge Cawthon on 07/01/25 10:50 PM

The config.tcl file is restored back to its original state that was working before the new certificated and only using the hostname celtic-arts.org.

After each case, cache was cleared.
case 1: http://celtic-arts.org
case 2: https://celtic-arts.org
case 3: http://www.celtic-arts.org
case 4: https://www.celtic-arts.org

All four case produce the same results.
results: NS_ERROR_REDIRECT_LOOP
GET https://celtic-arts.org/register/
Status
302
Found
VersionHTTP/1.1
Transferred408 B (0 B size)
Referrer Policystrict-origin
Request PriorityHighest

Response Headers (408 B)
HTTP/1.1 302 Found
Server: NaviServer/4.99.31
Date: Tue, 01 Jul 2025 20:24:38 GMT
Location: https://celtic-arts.org/register/
Content-Type: text/html; charset=utf-8
Content-Length: 316
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin

Requested Headers (579 B)
GET /register/ HTTP/1.1
Host: celtic-arts.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: ad_session_id="37845301%2c0%2c0%2c1751401478%20{839%201751402678%20A855CBE3572588EC39F5700739D020483E88801E}"
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1

My next plan is to isolate the server on a locate network, de-active SSL to see if redirects stop or continue.

If redirects continue, I will do a complete re-install. Last option.

It would be nice if I could find the root cause that could possible help others out they may run into this same issue. Then again, this could an issue that no one else will ever see. This would be the best scenario.

12: Re: New Cert The page isn't redirection properly (response to 1)

Posted by Tyge Cawthon on 07/03/25 09:50 PM

After doing a fresh install of both install-ns and install-oacs and using the new SSL certfile.pem celtic-arts.org is up and running.

Observation:
The latest config-oacs-5-10-0.tcl file is very clean and works very well. I did not have to make any modifications for the SSL certificate to work nor were there any variables issues found.

This matter is know closed. Thank you Gustaf
Excellent job.

13: Re: New Cert The page isn't redirection properly (response to 1)

Posted by Gustaf Neumann on 07/04/25 04:28 PM

This is good news, ... although i would like to know, what the problem was. Which version of NaviServer did you install?

14: Re: New Cert The page isn't redirection properly (response to 1)

Posted by Tyge Cawthon on 07/05/25 12:08 AM

Standard install was used in both cases.

I kept everything in the old environment but the database and plan on going back to see If have can duplicate the issue.

My site setup was very simple. Three sub sites with very little data in each.

The server (NS_ERROR_REDIRECT_LOOP) was using NaviServer 4.99.31 The working and current server is using NaviServer 4.99.30

SETTINGS build_dir (Build directory) /usr/local/src
ns_install_dir         (Installation directory)          /usr/local/ns
version_ns             (Version of NaviServer)           4.99.30
git_branch_ns          (Branch for git checkout of ns)   main
version_modules        (Version of NaviServer Modules)   4.99.30
version_tcllib         (Version of Tcllib)               1.20
version_thread         (Version Tcl thread library)      
version_xotcl          (Version of NSF/NX/XOTcl)         2.4.0
version_tcl            (Version of Tcl)                  8.6.16
version_tdom           (Version of tDOM)                 0.9.5
ns_user                (NaviServer user)                 xxxxxxx
ns_group               (NaviServer group)              xxxxxxx
(Make command)         make
(Type command)         type -p
ns_modules             (NaviServer Modules)              nsdbpg
with_mongo             (Add MongoDB client and server)   0
with_postgres          (Install PostgreSQL DB server)    1
with_postgres_driver   (Add PostgreSQL driver support)   1
with_ns_deprecated     (NaviServer with deprecated cmds) 1
with_system_malloc     (Tcl compiled with system malloc) 0
with_debug_flags       (Tcl and nsd compiled with debug) 0
with_ns_doc            (NaviServer documentation)        1
pg_user                (PostgreSQL user)                 xxxxxxxxxxxx
(PostgreSQL include)   /usr/include/postgresql
(PostgreSQL lib)       /usr/lib
(PostgreSQL Packages)  postgresql libpq

15: Re: New Cert The page isn't redirection properly (response to 14)

Posted by Gustaf Neumann on 07/05/25 10:43 AM

Probably, the problem is in the NaviServer 4.99.31 release. The newest NaviServer 4.99.* releases are essentially backports of bug fixes from NaviServer 5. These versions are less extensively tested compared with NaviServer 5.

I have downgraded a few weeks ago the default install from NaviServer 4.99.31 to 4.99.30 due to a bug-report with spooled forms (typically file uploaded via from), which is fixed in the newest (unreleased) version of the NaviServer 4.99 release branch.