PDM - acme account to local CA

[Horlogrium]

Hi,
I'm trying to setup ACME for the Proxmox Datacenter manager and i cannot setup an acme account for a local CA. Only choices are let's encrypt or let's encrypt staging.
I know this is the same on PBS but you can use a CLI tool to do it.
I read the documentation but cannot find any info about it.

How can i create an acme account for a local CA ?

 

[fabian]

I don't think this is exposed yet - please file an issue! you can drive the process manually via CURL or some other API client, if you want (the Documentation linked in the top bar contains an API viewer).

 

[Horlogrium]

Hi,
Thank you for your help. I'm not using API very often so i didn't think of it.
I was able to create account very easyly with curl -H 'Authorization: PDMAPIToken TOKENID:TOKENKEY' -d 'contact=' -d 'directory=' -d 'name=' https://pdm:8443/api2/json/config/acme/account --insecure.
I'll file an issue for those who come after.

 

[Fuegas]

Thanks @Horlogrium , that actually helped!

It took me a bit use the API correctly thanks to "noobism" (permissions not propagated correctly, firewall blocking some traffic towards the directory server, syntax of the command), but now I have the correct account available for requesting certs.

The question is: Did requesting a cert from local CA via http work for you?
I was stuck at this point due to:

• Task "acme-new-cert" was running/sleeping/running/sleeping for ages and could not be interrupted via "stop" button on the WebUI (seems to be a bug)
• This blocked port 80 for other tries (I rebooted pdm to solve it...)
• Traffic/auth from local CA -> PDM did not work

I saw the request beeing received in my local CA, and firewall wasn't the issue this time. After the 2nd reboot, it magically "worked" - not sure why.

Edit/Update:
I had changed to another hostname/fqdn for testing purposes before the 2nd reboot. Corrected accordingly; that was the reason why it worked after 2nd reboot. Before that, the "acme-new-cert" task was blocking port tcp:80 as outlined.

 

[Horlogrium]

Did requesting a cert from local CA via http work for you?
I was stuck at this point due to:

• Task "acme-new-cert" was running/sleeping/running/sleeping for ages and could not be interrupted via "stop" button on the WebUI (seems to be a bug)
• This blocked port 80 for other tries (I rebooted pdm to solve it...)
• Traffic/auth from local CA -> PDM did not work

I saw the request beeing received in my local CA, and firewall wasn't the issue this time. After the 2nd reboot, it "worked"
I had changed to another hostname/fqdn for testing purposes before the 2nd reboot. Corrected accordingly; that was the reason why it worked after 2nd reboot. Before that, the "acme-new-cert" task was blocking port tcp:80 as outlined.

Hi @Fuegas , Glad it has been working for you !
I'm not using http challenge but dns challenge so i don't know if i could had this issue.

What hostname/fqdn change did you make ? Was the new and the old both register into dns server ?

 

[Fuegas]

Hey @Horlogrium ,

What hostname/fqdn change did you make ? Was the new and the old both register into dns server ?

I wanted to use another hostname/fqdn just to see if something changes (in both pdm as well as my local CA), but had forgotten that it wasn't set up on DNS. And since the acme request ran against a non-existing DNS entry, and there does not seem to be a timeout mechanism implemented, port 80 was still bound to that process with any further (correct) try.

Funny enough: I just see that the task "acme-renew-cert" is running since 15+ hours with Status is still 'pending', trying again in 10 seconds .
I'll file a bug report now...

 

[Fuegas]

Just to add:
https://bugzilla.proxmox.com/show_bug.cgi?id=7166

Here we go with the bug report ( cc'ing @fabian )