ACME certificate renewal fails with TASK ERROR

T

thesix

Member
Mar 17, 2021
21
2
23
60
Since a couple of days our PBS tries to renew its x509 cert. We configured it to use our ACME-PROVIDER with the same credentials we use everywhere else. Here is what happens. We get emails stating:
Code: 
Proxmox Backup Server was not able to renew a TLS certificate.

Error: connection closed before message completed

Please visit the web interface for further details:
When I try to generate a new certificate manually via the web ui I get this:
Code: 
2025-11-11T10:59:30+01:00: Placing ACME order
2025-11-11T10:59:31+01:00: Order URL: https://ACME-PROVIDER/
2025-11-11T10:59:31+01:00: Getting authorization details from 'https://ACME-PROVIDER'
2025-11-11T10:59:32+01:00: HOSTNAME is already validated!
2025-11-11T10:59:32+01:00: All domains validated
2025-11-11T10:59:32+01:00: Creating CSR
2025-11-11T10:59:33+01:00: order is ready, finalizing
2025-11-11T10:59:42+01:00: notified via target `mail-to-root`
2025-11-11T10:59:42+01:00: TASK ERROR: connection closed before message completed

We are on PBS 3.4.7 with no pending upgrades.

ACME-PROVIDER and HOSTNAME are placeholders. Whtat I do not understand is why the process fails. Any help appreciated. Thanks!
 
Based on the log, the connection appears to close 9 seconds after the ACME order enters the finalizing stage, which suggests a network timeout or premature connection reset. It seems PBS keeps the connection open for several seconds while waiting for the ACME provider possibly to complete certificate signing. If a proxy, firewall, or reverse gateway in between enforces short timeouts, it may close the session before PBS receives the response.

Could you maybe check the logs of any firewall, proxy, or other network device that handles PBS’s outgoing HTTPS traffic around the time of the failure? Some devices might enforce short connection or inactivity timeouts, increasing those limits slightly could solve the issue.
 
  • Like
Reactions: thesix
We did a check on firewall logs and found no anomaly, no trace of dropped packets. I can confirm that the certificates were created but somehow the process stops before successfully retrieving the certificate.

I did try the same process on one of our PVE nodes and it worked flawlessly. PVE and PBS live on the same subnet behind the same firewalls.
 
You must log in or register to reply here.
Top Bottom