ACME-DNS with IONOS: failing to renew certificate

Dec 1, 2021
16
2
8
52
Hi,
renewing of our let's encrypt certificates worked flawlessly until now.
Any ideas what could have changed with the recent updates towards PVE 7.2

root@jupiter2:~# pvenode acme cert renew
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/*********/***********

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/************'
The validation for ***.******.net is pending!
[Wed Jun 8 15:05:24 CEST 2022] Error add txt for domain:_acme-challenge.***.******.net'
command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup ionos ***.******.net' failed: exit code 1
Task command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup ionos ***.******.net'' failed: exit code 1


Package versions:
proxmox-ve: 7.2-1 (running kernel: 5.15.35-1-pve) pve-manager: 7.2-4 (running version: 7.2-4/ca9d43cc) pve-kernel-5.15: 7.2-3 pve-kernel-helper: 7.2-3 pve-kernel-5.13: 7.1-9 pve-kernel-5.11: 7.0-10 pve-kernel-5.15.35-1-pve: 5.15.35-3 pve-kernel-5.15.30-2-pve: 5.15.30-3 pve-kernel-5.13.19-6-pve: 5.13.19-15 pve-kernel-5.13.19-2-pve: 5.13.19-4 pve-kernel-5.11.22-7-pve: 5.11.22-12 pve-kernel-5.11.22-4-pve: 5.11.22-9 ceph-fuse: 15.2.14-pve1 corosync: 3.1.5-pve2 criu: 3.15-1+pve-1 glusterfs-client: 9.2-1 ifupdown2: 3.1.0-1+pmx3 ksm-control-daemon: 1.4-1 libjs-extjs: 7.0.0-1 libknet1: 1.22-pve2 libproxmox-acme-perl: 1.4.2 libproxmox-backup-qemu0: 1.3.1-1 libpve-access-control: 7.2-1 libpve-apiclient-perl: 3.2-1 libpve-common-perl: 7.2-2 libpve-guest-common-perl: 4.1-2 libpve-http-server-perl: 4.1-2 libpve-storage-perl: 7.2-4 libspice-server1: 0.14.3-2.1 lvm2: 2.03.11-2.1 lxc-pve: 4.0.12-1 lxcfs: 4.0.12-pve1 novnc-pve: 1.3.0-3 proxmox-backup-client: 2.2.1-1 proxmox-backup-file-restore: 2.2.1-1 proxmox-mini-journalreader: 1.3-1 proxmox-widget-toolkit: 3.5.1 pve-cluster: 7.2-1 pve-container: 4.2-1 pve-docs: 7.2-2 pve-edk2-firmware: 3.20210831-2 pve-firewall: 4.2-5 pve-firmware: 3.4-2 pve-ha-manager: 3.3-4 pve-i18n: 2.7-2 pve-qemu-kvm: 6.2.0-8 pve-xtermjs: 4.16.0-1 qemu-server: 7.2-3 smartmontools: 7.2-pve3 spiceterm: 3.2-2 swtpm: 0.7.1~bpo11+1 vncterm: 1.7-1 zfsutils-linux: 2.1.4-pve1
 
We have the same issue with the IONOS DNS API.
Unfortunately, replacing the /usr/share/proxmox-acme/dnsapi/dns_ionos.sh file with the one from the pull request (https://github.com/acmesh-official/acme.sh/pull/4102) didn't work for us, it only changed the problem.
The DNS TXT record is now correctly created and cleaned up, however the task still fails with a different error message:

Code:
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxxxxx/xxxxxxxxxxx

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxxxxxxx'
The validation for host.domain.tld is pending!
[Fri Jun 10 11:36:35 CEST 2022] TXT record has been created successfully.
Add TXT record: _acme-challenge.host.domain.tld
Sleeping 120 seconds to wait for TXT record propagation
Triggering validation
[Fri Jun 10 11:38:42 CEST 2022] TXT record has been deleted successfully.
Remove TXT record: _acme-challenge.host.domain.tld
TASK ERROR: failed to execute POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxxxxxxxxxxx/x_Ur-Q: http request failed: https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxxxxxxxxxxx/x_Ur-Q: status code 400
 
We have the same issue with the IONOS DNS API.
Unfortunately, replacing the /usr/share/proxmox-acme/dnsapi/dns_ionos.sh file with the one from the pull request (https://github.com/acmesh-official/acme.sh/pull/4102) didn't work for us, it only changed the problem.
The DNS TXT record is now correctly created and cleaned up, however the task still fails with a different error message:

Code:
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxxxxx/xxxxxxxxxxx

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxxxxxxx'
The validation for host.domain.tld is pending!
[Fri Jun 10 11:36:35 CEST 2022] TXT record has been created successfully.
Add TXT record: _acme-challenge.host.domain.tld
Sleeping 120 seconds to wait for TXT record propagation
Triggering validation
[Fri Jun 10 11:38:42 CEST 2022] TXT record has been deleted successfully.
Remove TXT record: _acme-challenge.host.domain.tld
TASK ERROR: failed to execute POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxxxxxxxxxxx/x_Ur-Q: http request failed: https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxxxxxxxxxxx/x_Ur-Q: status code 400
that sounds like an altogether different problem.. you could check the challenge / authz URLs, maybe there is some hint there..
 
I forgot to mention that we have this issue on a Proxmox Mail Gateway Server, not a Proxmox VE.
Maybe there are additional steps needed to solve this?
We tested this on two different servers, and the issue is exactly the same:
- Before replacing the dns_ionos.sh file we get the TXT creation error
- After replacing the file, we get the HTTP 400 error (bad request)
Before IONOS changed it's DNS API to 1.0.1 everything was working.

EDIT:
It seems it was a temporary problem on the Let's Encrypt side.
After trying the renewal again to get the responses from challenge / authz URLs, everything just started working.
 
Last edited:
  • Like
Reactions: fabian
Hi, all / Hi @richii - Is there any other change you did to make this work? I have the same problem: cannot issue certs using google dns plugin on Proxmox Mail Gateway Server - HTTP 400 error

I get this error only on "prod Let's Encrypt env".. it works just fine on staging env.
 
Hi @proxuser43,

No, it solved itself while I were trying to debug it. In my testing I had the same error on a different server on a different site, so I figured it had to be some kind of LE Server / IONOS Plug-in problem.
A few hours later everything just started working.
 
I am still having this issue. Any help appreciated. It worked perfectly fine on OpnSense. so I am guessing no issues on LetsEncrypt side.

1687192994867.png
 
This is resolved. At Datacenter > ACME > Plugin > dns-ionos, I had extra double-quotes that I missed seeing. that caused the issue.
 
is this really solved? I tried douzend of diffrent way to enter the api key.
I can't find a site which is describing who to set the api key correctly
 
is this really solved? I tried douzend of diffrent way to enter the api key.
I can't find a site which is describing who to set the api key correctly
I was looking for this too, this works for me now.

You need to add under API DATA:
IONOS_PREFIX = <XXXXXXX> IONOS_SECRET = <XXXXXXX>
 
I stumbled upon this too. I received the error
Code:
"Cannot find this domain in your IONOS account"
. After removing the quotes around the API data, it worked.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!