ACME certs with DNS plugin

D

dhylton

New Member
Mar 25, 2022
2
0
1
I am seeing failures to obtain certs via letsencrypt in proxmox. The documentation shows that it simply leverages the official acme.sh, and I am pointed there for configuration information.

Following documentation found here: https://pve.proxmox.com/wiki/Certificate_Management:

# pvenode acme account register default le@redacted.domain # pvenode acme plugin add dns dnsmadeeasy --api me --data ./dnsme.txt --validation-delay 30 # pvenode config set --acmedomain0 pm11.redacted.domain,plugin=dnsmadeeasy # pvenode acme cert order Loading ACME account details Placing ACME order Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/50927488/2309578628 Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2188445978' The validation for pm11.redacted.domain is pending! [Thu Apr 14 16:52:18 EDT 2022] invalid domain [Thu Apr 14 16:52:18 EDT 2022] Error add txt for domain:_acme-challenge.pm01.redacted.domain command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup me pm11.redacted.domain' failed: exit code 1 Task command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup me pm11.redacted.domain' failed: exit code 1

Note that this happens pretty much immediately - there is no delay at all ...


So ... I make the same attempt with the actual acme.sh which is supposedly used on the backend:

# export ME_Key="..." # export ME_Secret="..." # acme.sh --issue --dns dns_me -d pm11.redacted.domain --staging [Thu Apr 14 20:23:41 UTC 2022] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory [Thu Apr 14 20:23:41 UTC 2022] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory [Thu Apr 14 20:23:41 UTC 2022] Create account key ok. [Thu Apr 14 20:23:41 UTC 2022] Registering account: https://acme-staging-v02.api.letsencrypt.org/directory [Thu Apr 14 20:23:42 UTC 2022] Registered [Thu Apr 14 20:23:42 UTC 2022] ACCOUNT_THUMBPRINT='rtFeqw7ymW5I_95sUT2cZVPVqZ08cnLjWk16dCAeSzU' [Thu Apr 14 20:23:42 UTC 2022] Creating domain key [Thu Apr 14 20:23:42 UTC 2022] The domain key is here: /root/.acme.sh/pm11.redacted.domain/pm11.redacted.domain.key [Thu Apr 14 20:23:42 UTC 2022] Single domain='pm11.redacted.domain' [Thu Apr 14 20:23:42 UTC 2022] Getting domain auth token for each domain [Thu Apr 14 20:23:43 UTC 2022] Getting webroot for domain='pm11.redacted.domain' [Thu Apr 14 20:23:43 UTC 2022] Adding txt value: XTIwW5TbLDOVl0ax_wvcBMQNtcrD_znegFWTvFW2pvE for domain: _acme-challenge.pm11.redacted.domain [Thu Apr 14 20:23:45 UTC 2022] Adding record [Thu Apr 14 20:23:46 UTC 2022] Added [Thu Apr 14 20:23:46 UTC 2022] The txt record is added: Success. [Thu Apr 14 20:23:46 UTC 2022] Let's check each DNS record now. Sleep 20 seconds first. [Thu Apr 14 20:24:07 UTC 2022] You can use '--dnssleep' to disable public dns checks. [Thu Apr 14 20:24:07 UTC 2022] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck [Thu Apr 14 20:24:07 UTC 2022] Checking pm11.redacted.domain for _acme-challenge.pm11.redacted.domain [Thu Apr 14 20:24:08 UTC 2022] Domain pm11.redacted.domain '_acme-challenge.pm11.redacted.domain' success. [Thu Apr 14 20:24:08 UTC 2022] All success, let's return [Thu Apr 14 20:24:08 UTC 2022] Verifying: pm11.redacted.domain [Thu Apr 14 20:24:08 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30) [Thu Apr 14 20:24:10 UTC 2022] Success [Thu Apr 14 20:24:10 UTC 2022] Removing DNS records. [Thu Apr 14 20:24:10 UTC 2022] Removing txt: XTIwW5TbLDOVl0ax_wvcBMQNtcrD_znegFWTvFW2pvE for domain: _acme-challenge.pm11.redacted.domain [Thu Apr 14 20:24:13 UTC 2022] Removed: Success [Thu Apr 14 20:24:13 UTC 2022] Verify finished, start to sign. [Thu Apr 14 20:24:13 UTC 2022] Lets finalize the order. [Thu Apr 14 20:24:13 UTC 2022] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/50926748/2309417648' [Thu Apr 14 20:24:14 UTC 2022] Downloading cert. [Thu Apr 14 20:24:14 UTC 2022] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa5a7d2ba8b8ebb4ca278bb8e25142523411' [Thu Apr 14 20:24:14 UTC 2022] Cert success. -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- [Thu Apr 14 20:24:14 UTC 2022] Your cert is in: /root/.acme.sh/pm11.redacted.domain/pm11.redacted.domain.cer [Thu Apr 14 20:24:14 UTC 2022] Your cert key is in: /root/.acme.sh/pm11.redacted.domain/pm11.redacted.domain.key [Thu Apr 14 20:24:14 UTC 2022] The intermediate CA cert is in: /root/.acme.sh/pm11.redacted.domain/ca.cer [Thu Apr 14 20:24:14 UTC 2022] And the full chain certs is there: /root/.acme.sh/pm11.redacted.domain/fullchain.cer

This clearly works. What am I missing?
 
Last edited:
Hi!

i have the same problem with the acme-dns plugin...

the azure plugin is funny too, with just a field "API details" and then... what does it need and in what form? :D
 
Hello,
I'm experiencing this same issue using the Cloudflare plugin.
My certificate it's failing to renew:
Code: 
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/362965380/80253555060

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/98384050900'
The validation for redacted.domain is pending!
[Tue Apr 19 16:40:07 UTC 2022] Error
[Tue Apr 19 16:40:07 UTC 2022] Error add txt for domain:_acme-challenge.redacted.domain
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cf redacted.domain' failed: exit code 1

Running PVE 7.1-10
 
I had originally used quotes in the file used for --data, expecting it to be evaluated by the shell. But instead it is read and split on "=" without any further processing. Check the output of pvenode acme plugin config ... to make sure the data values are as you expect.

Using acmedns, my --data file was similar to:

Code: 
ACMEDNS_UPDATE_URL=https://auth.acme-dns.io/update         
ACMEDNS_USERNAME=b19105a8-c2cc-11ec-88be-a38fede2bca9
ACMEDNS_PASSWORD=NatCed6odPelWik3HuetbasofMavcot9DatwouvD
ACMEDNS_SUBDOMAIN=ca27f644-c2cc-11ec-976d-f7e595fb330a

Additionally, when doing pvenode acme plugin add ..., the data is read ONLY ONCE from the --data file and never read again. So if you want to make changes to your --data file, remove the plugin and add again so it re-reads the data.

Once I re-added the acme plugin, it worked for me. (Using acmedns plugin and PVE 7.1-12)
 
  • Like
Reactions: Roger Simpson
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back