[SOLVED] PVE 5.2 Lets Encrypt: TASK ERROR: validating challenge failed

F

fips

Renowned Member
Proxmox Subscriber
May 5, 2014
175
7
83
Hi,
Yesterday I upgraded from 5.1 to 5.2, everything works like a charm :)
Today I wanted to setup Let's encrypt certs, but as soon as I click on "order Certificate" I receive that error:

Code: 
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/35096850/5660549

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz/jNOsmFB6vh_0xLMI-QRLJyLJa5dy1imMsdqbAr3yC4M'
... pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds
TASK ERROR: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz/jNOsmFB6vh_0xLMI-QRLJyLJa5dy1imMsdqbAr3yC4M' failed

any ideas??
 
if you take a look at the authorization record (
https://acme-v02.api.letsencrypt.org/acme/authz/jNOsmFB6vh_0xLMI-QRLJyLJa5dy1imMsdqbAr3yC4M) you can see the following error:
Code: 
     "type": "http-01",
     "status": "invalid",
     "error": {
       "type": "urn:ietf:params:acme:error:unknownHost",
       "detail": "No valid IP addresses found for vmb1.mqmdc.fuerst.it",
       "status": 400
     },

as the docs state, for LE to work you need to fulfill the following pre-requisites:
  1. Port 80 of the node needs to be reachable from the internet.

  2. There must be no other listener on port 80.

  3. The requested (sub)domain needs to resolve to a public IP of the Node.

  4. You have to accept the ToS of Let’s Encrypt.
 
  • Like
Reactions: fips
Hello!
I have some problems registering the account from the GUI interface. In the "Register Account" page, the "ACME Directory" contains nothing.

Fallback to console,
# pvenode acme account register default my@email
!!! only one time per cluster
!!! ensure you select 0, because 1 is acme staging (for tests only)
then on each node run
# pvenode config set --acme domains=my.domain.local
# pvenode acme cert order
(be sure that port 80 is open from the world)

Everything works like a charm. The domain is listed when I click "Edit domain" button.
Still, the "Register Account" page still shows nothing. Bug or lack of configuration ?

Proxmox 5.2 (upgraded from 5.1 initial was 5.0).

PS: any idea when / if the DNS challenge will be available ?
 
macleod said:
Hello!
I have some problems registering the account from the GUI interface. In the "Register Account" page, the "ACME Directory" contains nothing.

Fallback to console,
# pvenode acme account register default my@email
!!! only one time per cluster
!!! ensure you select 0, because 1 is acme staging (for tests only)
then on each node run
# pvenode config set --acme domains=my.domain.local
# pvenode acme cert order
(be sure that port 80 is open from the world)

Everything works like a charm. The domain is listed when I click "Edit domain" button.
Still, the "Register Account" page still shows nothing. Bug or lack of configuration ?

Proxmox 5.2 (upgraded from 5.1 initial was 5.0).

PS: any idea when / if the DNS challenge will be available ?
Click to expand...

Hi, I have the same problem with two new installations of Proxmox 5.2
 
what does
Code: 
pvesh get /cluster/acme/directories

on the node you try this show?
 
dcsapak said:
what does
Code: 
pvesh get /cluster/acme/directories

on the node you try this show?
Click to expand...

Code: 
200 OK
[
   {
      "name" : "Let's Encrypt V2",
      "url" : "https://acme-v02.api.letsencrypt.org/directory"
   },
   {
      "name" : "Let's Encrypt V2 Staging",
      "url" : "https://acme-staging-v02.api.letsencrypt.org/directory"
   }
]
34050248_10214097875574499_3416139729366679552_n.jpg
[/CODE]
 
does the javascript console show any errors ?
 
yes currently the certificate management is root only, but we will probably change that in the future
 
fabian said:
as the docs state, for LE to work you need to fulfill the following pre-requisites:
  1. Port 80 of the node needs to be reachable from the internet.

  2. There must be no other listener on port 80.

  3. The requested (sub)domain needs to resolve to a public IP of the Node.

  4. You have to accept the ToS of Let’s Encrypt.
Click to expand...
Well, but I'm port forwarding 80/TCP to my VMs, so I can't update certificate this way seamlessly.
Can I register only AAAA-record for host name with only IPv6 listening port 80 to get LE certificate?
 
in this case you either need to forward port 80 back again to the host for the acme validation subdomains, or wait for DNS challenge support in PVE, or use a third-party ACME client.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back