Error Authentication SSL Domain for Odoo service

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: virtus.sintesi.id

I ran this command:

sudo certbot --nginx -d virtus.sintesi.id -d www.virtus.sintesi.id -v

It produced this output:

Date: Tue, 23 Apr 2024 16:48:53 GMT
Content-Type: application/json
Content-Length: 1224
Connection: keep-alive
Boulder-Requester: 1688703877
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 1Th9Qjup2T-NWcSFALUCHzeTtls-spio4H6_2siuq91Vwvx7THA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "www.virtus.sintesi.id"
},
"status": "invalid",
"expires": "2024-04-30T16:48:49Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "2001:df1:7800:2::7:a261: Invalid response from http://www.virtus.sintesi.id/.well-known/acme-challenge/qOL1O6b_UY-OaG0SQDhjedMUdftldNc3Xjz_u2KQtmA: 404",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/342119717897/nHZQfQ",
"token": "qOL1O6b_UY-OaG0SQDhjedMUdftldNc3Xjz_u2KQtmA",
"validationRecord": [
{
"url": "http://www.virtus.sintesi.id/.well-known/acme-challenge/qOL1O6b_UY-OaG0SQDhjedMUdftldNc3Xjz_u2KQtmA",
"hostname": "www.virtus.sintesi.id",
"port": "80",
"addressesResolved": [
"203.194.113.93",
"2001:df1:7800:2::7:a261"
],
"addressUsed": "2001:df1:7800:2::7:a261",
"resolverAddrs": [
"A:10.0.12.85:31867",
"AAAA:10.0.12.86:22378"
]
}
],
"validated": "2024-04-23T16:48:51Z"
}
]
}
2024-04-23 16:48:53,399:DEBUG:acme.client:Storing nonce: 1Th9Qjup2T-NWcSFALUCHzeTtls-spio4H6_2siuq91Vwvx7THA
2024-04-23 16:48:53,399:INFO:certbot._internal.auth_handler:Challenge failed for domain virtus.sintesi.id
2024-04-23 16:48:53,400:INFO:certbot._internal.auth_handler:Challenge failed for domain www.virtus.sintesi.id
2024-04-23 16:48:53,400:INFO:certbot._internal.auth_handler:http-01 challenge for virtus.sintesi.id
2024-04-23 16:48:53,400:INFO:certbot._internal.auth_handler:http-01 challenge for www.virtus.sintesi.id
2024-04-23 16:48:53,401:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: virtus.sintesi.id
Type: unauthorized
Detail: 2001:df1:7800:2::7:a261: Invalid response from http://virtus.sintesi.id/.well-known/acme-challenge/H5kLSayyuX8L_MXZu_NoMdgRYgCEMX1RmgRBJKv_WpA: 404

Domain: www.virtus.sintesi.id
Type: unauthorized
Detail: 2001:df1:7800:2::7:a261: Invalid response from http://www.virtus.sintesi.id/.well-known/acme-challenge/qOL1O6b_UY-OaG0SQDhjedMUdftldNc3Xjz_u2KQtmA: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2024-04-23 16:48:53,402:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-04-23 16:48:53,402:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-04-23 16:48:53,402:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-04-23 16:48:54,525:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1287, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-04-23 16:48:54,526:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22

My hosting provider, if applicable, is: rumahweb.com

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Im sorry if someone ever posting this problem, I already search and googling, try to restore too many times to try every way I can find but still not work. Please help me Im new on this.

Hello @ezralds, welcome to the Let's Encrypt community.

Using the online tool Let's Debug yields these results https://letsdebug.net/virtus.sintesi.id/1898209

MultipleIPAddressDiscrepancy
WARNING
virtus.sintesi.id has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=2001:df1:7800:2::7:a261,Address Type=IPv6,Server=Apache,HTTP Status=404] vs [Address=203.194.113.93,Address Type=IPv4,Server=nginx/1.18.0 (Ubuntu),HTTP Status=404]

But a dns challenge might work for @ezralds

Side note: at lest IPv4 has Port 443 CLOSED.

$ nmap -Pn -p80,443 virtus.sintesi.id
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-23 17:34 UTC
Nmap scan report for virtus.sintesi.id (203.194.113.93)
Host is up (0.22s latency).
Other addresses for virtus.sintesi.id (not scanned): 2001:df1:7800:2::7:a261

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds

$ nmap -Pn -p80,443 www.virtus.sintesi.id
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-23 17:34 UTC
Nmap scan report for www.virtus.sintesi.id (203.194.113.93)
Host is up (0.22s latency).
Other addresses for www.virtus.sintesi.id (not scanned): 2001:df1:7800:2::7:a261

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.93 seconds

Edit for both IPv4 and IPv6

IPv4 Port 80 is OPEN and Port 443 is CLOSED

>nmap -4 -Pn -p80,443 www.virtus.sintesi.id
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-23 17:49 UTC
Nmap scan report for www.virtus.sintesi.id (203.194.113.93)
Host is up (0.20s latency).
Other addresses for www.virtus.sintesi.id (not scanned): 2001:df1:7800:2::7:a261

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds

IPv6 both Ports 80 & 443 are OPEN

>nmap -6 -Pn -p80,443 www.virtus.sintesi.id
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-23 17:49 UTC
Nmap scan report for www.virtus.sintesi.id (2001:df1:7800:2::7:a261)
Host is up (0.21s latency).
Other addresses for www.virtus.sintesi.id (not scanned): 203.194.113.93

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.34 seconds

Using both IPv4 & IPv6 I see

IPv4 is running Nginx

>curl -4 -Ii http://virtus.sintesi.id/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 NOT FOUND
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 23 Apr 2024 17:36:21 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 232
Connection: keep-alive

IPv6 is running Apache

>curl -6 -Ii http://virtus.sintesi.id/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Tue, 23 Apr 2024 17:36:26 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

thx for warm welcome for newbie like me.. this is my screenshot at zone editor, I already make sure to change all ip. am i missing something ?

Screenshot 2024-04-24 0037011345×805 78.8 KB

Possibly @ezralds, both IPv4 & IPv6 need to be serving the same content.
Presently they are not, and they are different server software one Niginx the other Apache.

I already open it before installed certificate with this command

sudo ufw allow 443
sudo ufw allow 'Nginx Full'

but still got same error at now I do restore to backup because already limit to try encrypt

im following this tutorial

@ezralds let's take this slowly

First let's get HTTP running the same on both IPv4 & IPv6 for Port 80.

Why is IPv4 running Nginx? Why is IPv6 running Apache?

i dont know if this ssl on my subdomain on cpanel make error. Am i need to uninstall it ?

Screenshot 2024-04-24 004458779×173 13.6 KB

IPv4 running in nginx because I do tutorial to install odoo 16 from this

so im using nginx, I never do a setting for apache, how I can check it ?

Since you say nginx above

I am assuming that IPv4 is correct and that IPv6 is incorrect.
If you are not using IPv6 (presently) I would recommend removing the DNS AAAA Record for IPv6.

Then retry.

Also if possible testing and debugging are best done using the Staging Environment as the Rate Limits are much higher.

It is looking OK now https://letsdebug.net/virtus.sintesi.id/1898265
And no DNS AAAA Record.
Excellent!

Im really hope this will success but still failed

Screenshot 2024-04-24 010239746×596 49.3 KB

this is my firewall setting

Maybe wait a bit of time (although Let's Encrypt uses the authoritative name servers so it should not be necessary).

IPv6 still was in uses for the attempt

image743×83 9.13 KB

wow you right.. I try check my zone editor and delete some AAAA dns record for www.virtus.sintesi.id and now it got certified.

Screenshot 2024-04-24 011823739×610 52.8 KB

thanks a lot, but now I found another problem.. nginx configuration not directing my domain to localhost:8069 for my odoo apps.

Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.

I think for now its enough, I have something in mind and want to try, thanks for help me.. I already doing this for almost 1 month. thanks a lot.

@ezralds For general nginx information you might find nginx documentation and https://forum.nginx.org/ helpful.