Getting a working certificate

bea · Apr 9, 2025

Hello.

I tried to get a certificate for my PBS following the documentation but have found many problems.
Now it seems that I finally made it by using certbot.

Code:

root@pbs:~# certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.pbs.mydomain.com -d pbs.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.pbs.mydomain.com and pbs.mydomain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA.
Pass "-v" for more info about challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/pbs.mydomain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/pbs.mydomain.com/privkey.pem
This certificate expires on 2025-07-07.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

However, despite having received the certificate, HTTPS does not work when visiting my PBS from a browser.

As read above, certbot says my certificate and key are saved at /etc/letsencrypt/live/pbs.mydomain.com/ while the documentation shows a different location and different names ("proxy").

If I go to my server this is what I see at the location mentioned by the documentation:

Code:

root@pbs:~# ls -hal /etc/proxmox-backup/
total 42K
drwx------  2 backup backup   11 Apr  9 08:06 .
drwxr-xr-x 84 root   root    167 Apr  8 22:16 ..
-rw-rw----  1 backup backup    0 Apr  8 17:32 .domains.lck
-rw-------  1 root   root    119 Jan 27 18:49 authkey.key
-rw-r-----  1 root   backup  113 Jan 27 18:49 authkey.pub
-rw-r-----  1 root   backup   86 Jan 27 18:49 csrf.key
-rw-r-----  1 root   backup  142 Apr  9 08:06 domains.cfg
-rw-r-----  1 root   backup 3.2K Jan 27 18:49 proxy.key
-rw-r-----  1 root   backup 2.1K Jan 27 18:49 proxy.pem
-rw-rw----  1 backup backup    0 Mar 16 23:06 tfa.json.lock
-rw-r-----  1 root   backup   38 Jan 27 18:45 user.cfg

And this is what I see at the location mentioned by certbot:

Code:

root@pbs:~# ls -hal /etc/letsencrypt/live/pbs.mydomain.com/
total 16K
drwxr-xr-x 2 root root   7 Apr  8 22:33 .
drwx------ 3 root root   4 Apr  8 22:33 ..
-rw-r--r-- 1 root root 692 Apr  8 22:33 README
lrwxrwxrwx 1 root root  41 Apr  8 22:33 cert.pem -> ../../archive/pbs.mydomain.com/cert1.pem
lrwxrwxrwx 1 root root  42 Apr  8 22:33 chain.pem -> ../../archive/pbs.mydomain.com/chain1.pem
lrwxrwxrwx 1 root root  46 Apr  8 22:33 fullchain.pem -> ../../archive/pbs.mydomain.com/fullchain1.pem
lrwxrwxrwx 1 root root  44 Apr  8 22:33 privkey.pem -> ../../archive/pbs.mydomain.com/privkey1.pem

If things weren't confusing enough, they are symbolic links!
Which take here:

Code:

root@pbs:~# ls -hal /etc/letsencrypt/archive/pbs.mydomain.com/
total 19K
drwxr-xr-x 2 root root    6 Apr  8 22:33 .
drwx------ 3 root root    3 Apr  8 22:33 ..
-rw-r--r-- 1 root root 1.4K Apr  8 22:33 cert1.pem
-rw-r--r-- 1 root root 1.6K Apr  8 22:33 chain1.pem
-rw-r--r-- 1 root root 2.9K Apr  8 22:33 fullchain1.pem
-rw------- 1 root root  241 Apr  8 22:33 privkey1.pem

What should I do?

I would be very grateful if anyone could please help me to have a working certificate : )

Cheers

Chris · Apr 9, 2025

bea said:

Hello.

I tried to get a certificate for my PBS following the documentation but have found many problems.
Now it seems that I finally made it by using certbot.

Code:

root@pbs:~# certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.pbs.mydomain.com -d pbs.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.pbs.mydomain.com and pbs.mydomain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA.
Pass "-v" for more info about challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/pbs.mydomain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/pbs.mydomain.com/privkey.pem
This certificate expires on 2025-07-07.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

However, despite having received the certificate, HTTPS does not work when visiting my PBS from a browser.

As read above, certbot says my certificate and key are saved at /etc/letsencrypt/live/pbs.mydomain.com/ while the documentation shows a different location and different names ("proxy").

If I go to my server this is what I see at the location mentioned by the documentation:

Code:

root@pbs:~# ls -hal /etc/proxmox-backup/
total 42K
drwx------  2 backup backup   11 Apr  9 08:06 .
drwxr-xr-x 84 root   root    167 Apr  8 22:16 ..
-rw-rw----  1 backup backup    0 Apr  8 17:32 .domains.lck
-rw-------  1 root   root    119 Jan 27 18:49 authkey.key
-rw-r-----  1 root   backup  113 Jan 27 18:49 authkey.pub
-rw-r-----  1 root   backup   86 Jan 27 18:49 csrf.key
-rw-r-----  1 root   backup  142 Apr  9 08:06 domains.cfg
-rw-r-----  1 root   backup 3.2K Jan 27 18:49 proxy.key
-rw-r-----  1 root   backup 2.1K Jan 27 18:49 proxy.pem
-rw-rw----  1 backup backup    0 Mar 16 23:06 tfa.json.lock
-rw-r-----  1 root   backup   38 Jan 27 18:45 user.cfg

And this is what I see at the location mentioned by certbot:

Code:

root@pbs:~# ls -hal /etc/letsencrypt/live/pbs.mydomain.com/
total 16K
drwxr-xr-x 2 root root   7 Apr  8 22:33 .
drwx------ 3 root root   4 Apr  8 22:33 ..
-rw-r--r-- 1 root root 692 Apr  8 22:33 README
lrwxrwxrwx 1 root root  41 Apr  8 22:33 cert.pem -> ../../archive/pbs.mydomain.com/cert1.pem
lrwxrwxrwx 1 root root  42 Apr  8 22:33 chain.pem -> ../../archive/pbs.mydomain.com/chain1.pem
lrwxrwxrwx 1 root root  46 Apr  8 22:33 fullchain.pem -> ../../archive/pbs.mydomain.com/fullchain1.pem
lrwxrwxrwx 1 root root  44 Apr  8 22:33 privkey.pem -> ../../archive/pbs.mydomain.com/privkey1.pem

If things weren't confusing enough, they are symbolic links!
Which take here:

Code:

root@pbs:~# ls -hal /etc/letsencrypt/archive/pbs.mydomain.com/
total 19K
drwxr-xr-x 2 root root    6 Apr  8 22:33 .
drwx------ 3 root root    3 Apr  8 22:33 ..
-rw-r--r-- 1 root root 1.4K Apr  8 22:33 cert1.pem
-rw-r--r-- 1 root root 1.6K Apr  8 22:33 chain1.pem
-rw-r--r-- 1 root root 2.9K Apr  8 22:33 fullchain1.pem
-rw------- 1 root root  241 Apr  8 22:33 privkey1.pem

What should I do?

I would be very grateful if anyone could please help me to have a working certificate : )

Cheers

Hi,
instead of managing the certificates manually/scripted, I would recommend to use the build in acme implementation, see https://pbs.proxmox.com/docs/sysadmin.html#trusted-certificates-via-lets-encrypt-acme

By this the certificates and renewal are managed by the PBS services.

bea · Apr 9, 2025

I missed that. It's much better, thank you.

I am playing with it, trying to get it through the DNS method, but cannot make it and cannot find any detailed guide.

My main question now is, on the "ACME DNS Plugin", which contains 4 fields: Plugin ID, Validation Delay, DNS API and API Data. What should exactly write in the API Data field?

My DNS is on dynu.com.

Thank you

bea · Apr 9, 2025

I think I have found it on this post:

C

Post in thread 'DYNU DDNS ACME anyone ?'

Aug 28, 2020

Finally got it working
Correction the format as below without double quotes

Dynu_ClientId=<your Dynu Client ID>
Dynu_Secret=<your Dynu Secret>
Dynu_Token=<Dynu Token>
Dynu_EndPoint=https://api.dynu.com/v2

However it stills says "Authentication failed" and "Can not get the token". Perhaps it is because I need to create this TXT DNS record?

It seems I have to create a TXT DNS record, it gives me the domain, but not the string. Where can I find that value?

Thanks again.

bea · Apr 9, 2025

Solved!
Now it was this post the one who helped me:

K

Post in thread 'DYNU DDNS ACME anyone ?'

Sep 27, 2023

Hi,

I am currently trying to figure this out as well. Thank you everyone for the posts above. My current stumbling block is that I could not find where my client_ID is on dynu. Is it the OAUTH2 generated key pair? I was not sure? Eventually I found that was the case, and have made an account to share:

Dynu_ClientId=<your Dynu OAuth2 Client ID>
Dynu_Secret=<your Dynu OAuth2 Secret>
Dynu_Token=<Dynu API>
Dynu_EndPoint=https://api.dynu.com/v2

And with this API thing no need to manually do any txt record.

Cheers

Search

Search

Getting a working certificate

bea

Active Member

Chris

Proxmox Staff Member

bea

Active Member

bea

Active Member

Post in thread 'DYNU DDNS ACME anyone ?'

bea

Active Member

Post in thread 'DYNU DDNS ACME anyone ?'

We value your privacy