ACME Cert Order Not Working

[duluxoz]

Hi All,

I'm trying to set up a private PKI (Step-CA: stepca.example.com) to provide my PVE (Proxmox v18.2.4) with certificates.

I have the Step-CA server set up and working (I can receive/renew certs via ACME.sh from a different server to the stepca.example.com).

I have run the command:

pvenode acme account register my_acme root at example.com  --directory https://stepca.example.com/acme/my_acme/directory

and this returned:

Attempting to fetch Terms of Service from 'https://stepca.example.com/acme/my_acme/directory'..
No Terms of Service found, proceeding.
Attempting to register account with 'https://stepca.example.com/acme/my_acme/directory'..
Generating ACME account key..
Registering ACME account..
Registration successful, account URL: 'https://stepca.example.com/acme/my_acme/account/PLeTGsgGbogPgnURjpYMuieKc1Yj2cFQ'
Task OK

Running the command:

pvenode acme account info my_acme

returns all the correct information (as above) - the most important part is:

status: valid

However, when I then run the command:

pvenode acme cert order

I receive:

Can't use an undefined value as a HASH reference at /usr/share/perl5/PVE/API2/ACME.pm line 196

Also, when I run the command:

pvenode acme cert renew

I (as expected) receive:

No current (custom) certificate found, please order a new certificate!

Finally, when I run the command:

pvenode cert info

I receive info only about the "pve-root-ca.pem" and "pve-ssl.pem" certificates (again, as expected).

So, if someone could be kind enough to let me know where I've gone wrong, I'd appreciate it.

Cheers

Dulux-Oz

PS: Also, the (on-line) Proxmox doco says (in section 3.12.4. Trusted certificates via Let’s Encrypt (ACME) ) that "You can register and deactivate ACME accounts over the web interface Datacenter -> ACME...", but I can't find that in the Web Interface - has something changed in recent versions of ProxMox?

 

[duluxoz]

Hi All,

Just giving this a bump because I still have the same issue (and I'm only just now getting back to this )

Cheers
dulux-oz

 

[fabian]

please run "pveversion -v" and post the output here

 

[duluxoz]

Hi Fabian,

Results as requested:

proxmox-ve: 8.2.0 (running kernel: 6.8.12-3-pve)
pve-manager: 8.2.9 (running version: 8.2.9/98c7f34632fee424)
proxmox-kernel-helper: 8.1.0
proxmox-kernel-6.8: 6.8.12-4
proxmox-kernel-6.8.12-4-pve-signed: 6.8.12-4
proxmox-kernel-6.8.12-3-pve-signed: 6.8.12-3
proxmox-kernel-6.8.12-1-pve-signed: 6.8.12-1
proxmox-kernel-6.8.4-2-pve-signed: 6.8.4-2
ceph: 18.2.4-pve3
ceph-fuse: 18.2.4-pve3
corosync: 3.1.7-pve3
criu: 3.17.1-2
glusterfs-client: 10.3-5
ifupdown2: 3.2.0-1+pmx11
intel-microcode: 3.20240910.1~deb12u1
ksm-control-daemon: 1.5-1
libjs-extjs: 7.0.0-5
libknet1: 1.28-pve1
libproxmox-acme-perl: 1.5.1
libproxmox-backup-qemu0: 1.4.1
libproxmox-rs-perl: 0.3.4
libpve-access-control: 8.2.0
libpve-apiclient-perl: 3.3.2
libpve-cluster-api-perl: 8.0.10
libpve-cluster-perl: 8.0.10
libpve-common-perl: 8.2.9
libpve-guest-common-perl: 5.1.6
libpve-http-server-perl: 5.1.2
libpve-network-perl: 0.9.8
libpve-rs-perl: 0.8.12
libpve-storage-perl: 8.2.8
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 6.0.0-1
lxcfs: 6.0.0-pve2
novnc-pve: 1.5.0-1
proxmox-backup-client: 3.2.9-1
proxmox-backup-file-restore: 3.2.9-1
proxmox-firewall: 0.5.0
proxmox-kernel-helper: 8.1.0
proxmox-mail-forward: 0.3.1
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.7
proxmox-widget-toolkit: 4.3.1
pve-cluster: 8.0.10
pve-container: 5.2.2
pve-docs: 8.2.4
pve-edk2-firmware: 4.2023.08-4
pve-esxi-import-tools: 0.7.2
pve-firewall: 5.0.7
pve-firmware: 3.14-1
pve-ha-manager: 4.0.5
pve-i18n: 3.2.4
pve-qemu-kvm: 9.0.2-4
pve-xtermjs: 5.3.0-3
qemu-server: 8.2.7
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.2.6-pve1

Cheers

 

[fabian]

could you post the output of "pvenode config get"?

 

[duluxoz]

As requested:

startall-onboot-delay: 10

 

[fabian]

the error message/handling is broken, but - you need to define the domain(s) for which to order a certificate

https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_node_domains

 

[duluxoz]

Cool...

So which of the following should be set?:

pvenode config set --property <acme | acmedomain0 | acmedomain1 | acmedomain2 | acmedomain3 | acmedomain4 | acmedomain5 > example.com

Can I assume (ie make an ass out of you and me) that it's acmedomain0?

(No, it is not clear from the documentation / man page )

Cheers

(And thanks for the help )

 

[fabian]

shouldn't matter you can also use the UI to define them

 

[duluxoz]

Thank you