Redirected you too many times ERR_TOO_MANY_REDIRECTS

I have the opposite issue that others seem to have. When I search for this error, all the results are saying that I no doubt have a redirect on my webserver that is causing a problem but I did a curl test to verify that isn’t the case.

The other answer repeated everywhere is that Flexible SSL/TLS encryption mode is the problem and causes this issue, but moving to Full or Full (Strict) will resolve this.

I have a web server (Linux VPS) where I am hosting 4 sites/domains. Cloudflare is pointing to each. They all have their own SSL certs. I was trying to use the Cloudflare Origin Certs, but the latest beta version of Wordpress has some redirects that didn’t like those certs. I eventually left the Cloudflare Origin certs in my /etc/ssl/certs and /etc/ssl/private paths that can be used, but I ended up generating my own SSL certs on my origin server with Let’s Encrypt (cert bot) that fixed the Wordpress issues. The first 3 sites I set up on this server work with Full (Strict) Encryption and everything is working fine.

I go to setup a 4th site and I get redirect errors with Full or Full Strict, but it works fine with Flexible.

I ran comparisons on my apache site .conf files, my .htaccess files and browser tabs side-by-side to compare Cloudflare settings. The 4 sites are basically setup identically as best as I can tell. I spent all day trying to figure out what the issue is.

My new site literally just has a single static html page up for testing. There is no app or website redirect occurring. If the problem was with the Cloudflare origin certs, I assume I’d get some sort of actual TLS/SSL error and not necessarily the redirect error.

For my next step I might try removing the Let’s Encrypt certs and for this one particular site pointing the Apache site config to the Cloudflare origin certs instead, though if I use Wordpress on this site later (I might) then that might become a problem again.

I have “Always Use HTTPS” on as well as HSTS and “Automatic HTTPS Rewrites” in Cloudflare settings.

When my site is set to Flexible, the Cloudflare Diagnostic Center doesn’t detect any problems. When I set it to Full or Full (Strict) then 5 tests fail:

Check for redirect loops

Check the HTTPS status

Check if redirecting unencrypted HTTP traffic works

Check the site for mixed content

Check site speed (TTFB)

I did the CURL test to verify there is no redirect with my domain name and actual web server IP address (not public IP address through CloudFlare)

curl -ksvo /dev/null http://sricf-nebraska.org --connect-to ::107.155.108.119 2>&1 | egrep -i “< location|< http”

It comes back with a HTTP 200 when set to flexible.

I just changed my Apache2 config for that site to use the Cloudflare Origin SSL certs rather than the Let’s Encrypt ones, reloaded Apache2 and I still have the same error on Full and Full Strict.

Chrome and Edge (also Chromium these days) says:

sricf-nebraska.org redirected you too many times.

ERR_TOO_MANY_REDIRECTS

Safari says there are more than 20 redirects.

Hm, if you use Let’s Encrypt, before renewing or generating the SSL certificate, try to make the A records for your example.com and www.example.com as “gray cloud”.
Then activate “Development mode”.
Run the Let’s Encrypt or Certbot or ACME or cPanel Auto SSL.
Wait it to be success.
After it, make the “cloud” the “orange color”.
Also, do not forget to put in “SSL tab” of the Cloudflare dashboard to “Full SSL”.
It should work.

Also, having in mind to enable the option “Always use HTTPS” and “Automatic HTTPS Rewrites”.

If you are having WordPress or some other CMS, check for Really Simple SSL and even if you were before just on HTTP and now on HTTPS, use plugin Better Search Replace for WordPress to replace all the HTTP to HTTPS links in your database.

Can you write back with your Apache htaccess or Nginx rules?

Maybe it is due to your application routing, for example Vue.js or some other?

Are you redirecting traffic from HTTP to HTTPS (301 redirection)?
Are the port 80 and 443 openned in firewall/iptables on the VPS server?

Is your VPS behind cPanel or using Cloudlinux?

When using the Cloudflare origin SSL, it is better to have “Full (Strict) SSL”.

Hm, if you use Let’s Encrypt, before renewing or generating the SSL certificate

I also tried switching from the Let’s Encrypt certs to the Cloudflare Origin certs and still neither Full nor Full Strict worked.

Now also tested moving both primary A names to Grey / DNS only, Development mode, ran certbot renew, changed back to Orange / Proxied, turned off Development Mode and tested Full and Full Strict again. Still no joy.

I have a VPS with just normal SSH/shell access, no cPanel.

If you are having WordPress or some other CMS, check for Really Simple SSL and even if you were before just on HTTP and now on HTTPS, use plugin Better Search Replace for WordPress to replace all the HTTP to HTTPS links in your database

I’ll check that again with the Wordpress site that was having issues before and see if then can switch that site back over to using the Cloudflare certs What’s I’d REALLY like to ideally do is set up nginx as a reverse proxy pointing to varnish, in turn pointing to apache2. But sadly when I tried what with HTTPS everywhere I had problems passing traffic between them encrypted. Presumably this would give the best performance on a web server. nginx has overtaken apache2 as the supposed most used web server in market share, though I wonder how many are using nginx as the actual web server, or just a reverse proxy front-end before apache2, but I digress. I’d love to see a good updated guide to getting that particular setup working in 2020.

Can you write back with your Apache htaccess or Nginx rules?

Not sure what you mean write back? Do I have full access to them? Yep, full root shell access. I’ve removed the .htaccess file completely and the problem still exists and my apache2 site conf file is the same as the working ones (with different names / paths obviously).

Maybe it is due to your application routing, for example Vue.js or some other?

New website is literally a simple static temp holding index.html until I build the new site. No routing at that level. Even if I just point to a static PNG file, I get the same error.

Are you redirecting traffic from HTTP to HTTPS (301 redirection)?

No, though oddly enough the working sites I do force a HTTP to HTTPS redirect with the site conf files for the ones that are working and have no problem. But this site that isn’t working with Full or Full Strict, I disabled those redirects: Here is an example of the redirect I am using on a working site, but these lines are all commented out on the broken out.

Redirect permanent "/" "https://omahachapterone.org/"

RewriteEngine on
RewriteCond %{SERVER_NAME} =omahachapterone.org [OR]
RewriteCond %{SERVER_NAME} =www.omahachapterone.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Are the port 80 and 443 openned in firewall/iptables on the VPS server?

Yep, with 3 other sites working with Cloudflare and Full Strict.

Is your VPS behind cPanel or using Cloudlinux?

No cPanel and just Debian Testing (I like to live on the bleeding edge with non-critical / personal sites). I don’t run bleeding edge for servers I administer for work.

Here is an image file I’m uploading to one of my other virtual hosts on the same server that is working fine with Cloudflare and Full (Strict). The screenshot shows the Network graph of trying to load the site that isn’t working.

There are twenty 301 redirects and it fails, but the redirects are coming from Cloudflare, not the webserver.

The redirect loop is coming from your server:

This was driving me nuts because when I move to Flexible and do a network trace, there is no redirect. The webpage is a simple index.html with no redirect. No redirect in .htaccess (even tried fully deleting that). No redirect in the site .conf file.

Both curl and Chrome network trace show zero 301 redirects the moment I turn Full (Strict) off and go to Flexible, with no changes on my end.

HOWEVER, I’m an idiot and this was on my end.

I’m looking at one config file for the site (/etc/apache2/sites-available/sricf-nebraska.org.conf) and there is no redirect there and it looks identical to all my sites. I have a VirtualHost for 80 and a VirtualHost for 443.

However, I don’t know why I didn’t see that Let’s Encrypt made a second conf file on their own and also enabled that, so there were two different files each with a VirtualHost on 443, and the Let’s Encrypt one had a redirect in it.

Thankfully I’ve got this fixed but I can’t believe I’ve spent two days looking at this. I was just loading that conf file in a text editor, and I never did a ls on the folder to see if there was magically extra conf files.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.