I am seeing failures to obtain certs via letsencrypt in proxmox. The documentation shows that it simply leverages the official acme.sh, and I am pointed there for configuration information.
Following documentation found here: https://pve.proxmox.com/wiki/Certificate_Management:
Note that this happens pretty much immediately - there is no delay at all ...
So ... I make the same attempt with the actual acme.sh which is supposedly used on the backend:
This clearly works. What am I missing?
Following documentation found here: https://pve.proxmox.com/wiki/Certificate_Management:
# pvenode acme account register default le@redacted.domain
# pvenode acme plugin add dns dnsmadeeasy --api me --data ./dnsme.txt --validation-delay 30
# pvenode config set --acmedomain0 pm11.redacted.domain,plugin=dnsmadeeasy
# pvenode acme cert order
Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/50927488/2309578628
Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2188445978'
The validation for pm11.redacted.domain is pending!
[Thu Apr 14 16:52:18 EDT 2022] invalid domain
[Thu Apr 14 16:52:18 EDT 2022] Error add txt for domain:_acme-challenge.pm01.redacted.domain
command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup me pm11.redacted.domain' failed: exit code 1
Task command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup me pm11.redacted.domain' failed: exit code 1Note that this happens pretty much immediately - there is no delay at all ...
So ... I make the same attempt with the actual acme.sh which is supposedly used on the backend:
# export ME_Key="..."
# export ME_Secret="..."
# acme.sh --issue --dns dns_me -d pm11.redacted.domain --staging
[Thu Apr 14 20:23:41 UTC 2022] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Thu Apr 14 20:23:41 UTC 2022] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Thu Apr 14 20:23:41 UTC 2022] Create account key ok.
[Thu Apr 14 20:23:41 UTC 2022] Registering account: https://acme-staging-v02.api.letsencrypt.org/directory
[Thu Apr 14 20:23:42 UTC 2022] Registered
[Thu Apr 14 20:23:42 UTC 2022] ACCOUNT_THUMBPRINT='rtFeqw7ymW5I_95sUT2cZVPVqZ08cnLjWk16dCAeSzU'
[Thu Apr 14 20:23:42 UTC 2022] Creating domain key
[Thu Apr 14 20:23:42 UTC 2022] The domain key is here: /root/.acme.sh/pm11.redacted.domain/pm11.redacted.domain.key
[Thu Apr 14 20:23:42 UTC 2022] Single domain='pm11.redacted.domain'
[Thu Apr 14 20:23:42 UTC 2022] Getting domain auth token for each domain
[Thu Apr 14 20:23:43 UTC 2022] Getting webroot for domain='pm11.redacted.domain'
[Thu Apr 14 20:23:43 UTC 2022] Adding txt value: XTIwW5TbLDOVl0ax_wvcBMQNtcrD_znegFWTvFW2pvE for domain: _acme-challenge.pm11.redacted.domain
[Thu Apr 14 20:23:45 UTC 2022] Adding record
[Thu Apr 14 20:23:46 UTC 2022] Added
[Thu Apr 14 20:23:46 UTC 2022] The txt record is added: Success.
[Thu Apr 14 20:23:46 UTC 2022] Let's check each DNS record now. Sleep 20 seconds first.
[Thu Apr 14 20:24:07 UTC 2022] You can use '--dnssleep' to disable public dns checks.
[Thu Apr 14 20:24:07 UTC 2022] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Thu Apr 14 20:24:07 UTC 2022] Checking pm11.redacted.domain for _acme-challenge.pm11.redacted.domain
[Thu Apr 14 20:24:08 UTC 2022] Domain pm11.redacted.domain '_acme-challenge.pm11.redacted.domain' success.
[Thu Apr 14 20:24:08 UTC 2022] All success, let's return
[Thu Apr 14 20:24:08 UTC 2022] Verifying: pm11.redacted.domain
[Thu Apr 14 20:24:08 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Thu Apr 14 20:24:10 UTC 2022] Success
[Thu Apr 14 20:24:10 UTC 2022] Removing DNS records.
[Thu Apr 14 20:24:10 UTC 2022] Removing txt: XTIwW5TbLDOVl0ax_wvcBMQNtcrD_znegFWTvFW2pvE for domain: _acme-challenge.pm11.redacted.domain
[Thu Apr 14 20:24:13 UTC 2022] Removed: Success
[Thu Apr 14 20:24:13 UTC 2022] Verify finished, start to sign.
[Thu Apr 14 20:24:13 UTC 2022] Lets finalize the order.
[Thu Apr 14 20:24:13 UTC 2022] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/50926748/2309417648'
[Thu Apr 14 20:24:14 UTC 2022] Downloading cert.
[Thu Apr 14 20:24:14 UTC 2022] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa5a7d2ba8b8ebb4ca278bb8e25142523411'
[Thu Apr 14 20:24:14 UTC 2022] Cert success.
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
[Thu Apr 14 20:24:14 UTC 2022] Your cert is in: /root/.acme.sh/pm11.redacted.domain/pm11.redacted.domain.cer
[Thu Apr 14 20:24:14 UTC 2022] Your cert key is in: /root/.acme.sh/pm11.redacted.domain/pm11.redacted.domain.key
[Thu Apr 14 20:24:14 UTC 2022] The intermediate CA cert is in: /root/.acme.sh/pm11.redacted.domain/ca.cer
[Thu Apr 14 20:24:14 UTC 2022] And the full chain certs is there: /root/.acme.sh/pm11.redacted.domain/fullchain.cerThis clearly works. What am I missing?
Last edited:
