[SOLVED] ACME-DNS certificate renewal failed PM VE 7.4-3

bubbleaegis

bubbleaegis

Member
Jan 3, 2022
22
3
8
40
italy
hello everyone, I find that with the latest updates of proxmox, the non-renewal of certificates via Let'Encrypt.
I have several servers with proxmox in our locations. I noticed that in the plug-in settings ACMEDNS_BASE_URL was empty, I'm sure it was it was previously filled in, since about 2 months it is empty, I think some update done. I filled it in but unfortunately nothing has changed and the certificate keeps not renewing and always gives the same error.
The certificate has always renewed previously, I would exclude something related to DNS records in my domain.

Code: 
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/786659446/174862789187

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/217727787917'
The validation for cmox.XYZ.it is pending!
[Thu Apr 13 05:08:17 CEST 2023] Using acme-dns
[Thu Apr 13 05:08:17 CEST 2023] invalid response of acme-dns
[Thu Apr 13 05:08:17 CEST 2023] Error add txt for domain:_acme-challenge.cmox.XYZ.it

TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup acmedns cmox.XYZ.it' failed: exit code 1
 

Attachments

  • Schermata del 2023-04-13 10-15-47.png
    Schermata del 2023-04-13 10-15-47.png
    38.5 KB · Views: 75
1. I hope those aren't your actual DNS credentials, if they are, I highly recommend updating them as soon as possible
2. are you sure the credentials are correct? the error message doesn't give much of a hint unfortunately, maybe you could try setting DEBUG=1 in /usr/share/proxmox-acme/proxmox-acme (temporarily) to get more output?
 
  • Like
Reactions: Max Carrara
1. they are to do this test, in a server I am preparing. once this problem is solved I will have to delete them.
2. yes the credentials are correct, they have worked for a long time and have not been changed.
fabian said:
1. I hope those aren't your actual DNS credentials, if they are, I highly recommend updating them as soon as possible
2. are you sure the credentials are correct? the error message doesn't give much of a hint unfortunately, maybe you could try setting DEBUG=1 in /usr/share/proxmox-acme/proxmox-acme (temporarily) to get more output?
Click to expand...
1. they are to do this test, in a server I am preparing. once this problem is solved I will have to delete them.
2. yes the credentials are correct, they have worked for a long time and have not been changed.
I have enabled Debug 1 but see no difference in the logs
 
then you could try changing the two _debug commands in /usr/share/proxmox-acme/dnsapi/dns_acmedns.sh into _info, like so:

Code: 
  _debug data "$data"
  response="$(_post "$data" "$ACMEDNS_UPDATE_URL" "" "POST")"
  _debug response "$response"


Code: 
  _info "$data"
  response="$(_post "$data" "$ACMEDNS_UPDATE_URL" "" "POST")"
  _info "$response"

and retry? the log should then contain the request body and the response by ACME-DNS
 
Last edited:
thank you @fabian I made the change and requested renew certificate:

Code: 
The validation for cmox.XYZ.it is pending!
[Fri Apr 14 10:44:45 CEST 2023] Using acme-dns
[Fri Apr 14 10:44:45 CEST 2023] data
[Fri Apr 14 10:44:46 CEST 2023] response
[Fri Apr 14 10:44:46 CEST 2023] invalid response of acme-dns
[Fri Apr 14 10:44:46 CEST 2023] Error add txt for domain:_acme-challenge.cmox.XYZ.it
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup acmedns cmox.XYZ.it' failed: exit code 1

doesn't look very different ...
 
sorry, missed that the two helpers have different number of arguments - see my edited post!
 
The validation for cmox.XYZ.it is pending!
[Fri Apr 14 14:06:16 CEST 2023] Using acme-dns
[Fri Apr 14 14:06:16 CEST 2023] {"subdomain":"e381a238-8797-4eaa-80b5-63c5b8391931", "txt": "SCKBvvXXw8re4xzdDa5cEg40H9ZibBNt2-9i3OVsNOY"}
[Fri Apr 14 14:06:17 CEST 2023] 404 page not found
[Fri Apr 14 14:06:17 CEST 2023] invalid response of acme-dns
[Fri Apr 14 14:06:17 CEST 2023] Error add txt for domain:_acme-challenge.cmox.XYZ.it
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup acmedns cmox.XYZ.it' failed: exit code 1
 
yeah, so acme-dns responds with 404 to the POST request
- either the URL is wrong or the service is down at the moment (it seems this is only a test instance by the upstream author, you are supposed to host it yourself!)
- or your account is no longer valid or misconfigured, and that is ACME-DNS' way of telling you so
 
fabian said:
yeah, so acme-dns responds with 404 to the POST request
- either the URL is wrong or the service is down at the moment (it seems this is only a test instance by the upstream author, you are supposed to host it yourself!)
- or your account is no longer valid or misconfigured, and that is ACME-DNS' way of telling you so
Click to expand...
I don't think the service is offline ... If I try to request a registration I get a response ...
I use this link in the ACMEDNS_BASE_URL field: https://auth.acme-dns.io/update
How could the acme configuration be messed up? Actually, I have also tried doing a wipe of the whole configuration from scratch.
I am also trying on a newly prepared server and it gives me the same error, I find it strange there too that it is all blank....
 
wow! yes the field must be empty!

only now I had a problem when renewing the certificate on another server:
An error occurred while connecting to xxxx.XYZ.it:8006.

PR_END_OF_FILE_ERROR

Error code: PR_END_OF_FILE_ERROR

The page you are trying to view cannot be displayed because the authenticity of the received data cannot be verified.
Please contact the person responsible for the website to inform them of the problem.
 
please post the logs of pveproxy on that other server (journalctl -u pveproxy)
 
it seems to be from February...

Code: 
# journalctl -u pveproxy
-- Journal begins at Sat 2023-02-25 18:27:16 CET, ends at Mon 2023-04-17 17:19:37 CEST. --
feb 25 18:27:25 umox systemd[1]: Starting PVE API Proxy Server...
feb 25 18:27:26 umox pvecm[1299]: Generating public/private rsa key pair.
feb 25 18:27:26 umox pvecm[1299]: Your identification has been saved in /root/.ssh/id_rsa
feb 25 18:27:26 umox pvecm[1299]: Your public key has been saved in /root/.ssh/id_rsa.pub
feb 25 18:27:26 umox pvecm[1299]: The key fingerprint is:
feb 25 18:27:26 umox pvecm[1299]: SHA256:XXXXXXXXXXXXXX root@YYYY
feb 25 18:27:26 umox pvecm[1299]: The key's randomart image is:
feb 25 18:27:26 umox pvecm[1299]: +---[RSA 2048]----+
XXXXXXXXXXX

feb 25 18:27:26 umox pvecm[1299]: +----[SHA256]-----+
feb 25 18:27:28 umox pvecm[1296]: got inotify poll request in wrong process - disabling inotify
feb 25 18:27:29 umox pveproxy[1314]: starting server
feb 25 18:27:29 umox pveproxy[1314]: starting 3 worker(s)
feb 25 18:27:29 umox pveproxy[1314]: worker 1315 started
feb 25 18:27:29 umox pveproxy[1314]: worker 1316 started
feb 25 18:27:29 umox pveproxy[1314]: worker 1317 started
feb 25 18:27:29 umox systemd[1]: Started PVE API Proxy Server.
feb 25 18:30:56 umox systemd[1]: Reloading PVE API Proxy Server.
feb 25 18:30:57 umox pveproxy[13939]: send HUP to 1314
feb 25 18:30:57 umox pveproxy[1314]: received signal HUP
feb 25 18:30:57 umox pveproxy[1314]: server closing
feb 25 18:30:57 umox pveproxy[1314]: server shutdown (restart)
feb 25 18:30:57 umox systemd[1]: Reloaded PVE API Proxy Server.
feb 25 18:30:58 umox pveproxy[1314]: restarting server
feb 25 18:30:58 umox pveproxy[1314]: starting 3 worker(s)
feb 25 18:30:58 umox pveproxy[1314]: worker 13952 started
feb 25 18:30:58 umox pveproxy[1314]: worker 13953 started
feb 25 18:30:58 umox pveproxy[1314]: worker 13954 started
feb 25 18:31:03 umox pveproxy[1317]: worker exit
feb 25 18:31:03 umox pveproxy[1315]: worker exit
feb 25 18:31:03 umox pveproxy[1314]: worker 1317 finished
feb 25 18:31:03 umox pveproxy[1314]: worker 1315 finished
feb 25 18:31:03 umox pveproxy[1314]: worker 1316 finished
feb 25 18:31:04 umox pveproxy[14597]: got inotify poll request in wrong process - disabling inotify
feb 25 18:31:58 umox systemd[1]: Stopping PVE API Proxy Server...
feb 25 18:31:59 umox pveproxy[1314]: received signal TERM
feb 25 18:31:59 umox pveproxy[1314]: server closing
feb 25 18:31:59 umox pveproxy[13952]: worker exit
feb 25 18:31:59 umox pveproxy[13953]: worker exit
feb 25 18:31:59 umox pveproxy[1314]: worker 13953 finished
feb 25 18:31:59 umox pveproxy[1314]: worker 13952 finished
feb 25 18:31:59 umox pveproxy[1314]: worker 13954 finished
 
there should be log lines after that..
 
fabian said:
there should be log lines after that..
Click to expand...
sorry fabian, what an idiot I made of myself :p

Code: 
apr 14 20:43:37 umox systemd[1]: Starting PVE API Proxy Server...
apr 14 20:43:39 umox pveproxy[1324]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interface.
apr 14 20:43:39 umox pveproxy[1326]: starting server
apr 14 20:43:39 umox pveproxy[1326]: starting 3 worker(s)
apr 14 20:43:39 umox pveproxy[1326]: worker 1327 started
apr 14 20:43:39 umox pveproxy[1326]: worker 1328 started
apr 14 20:43:39 umox pveproxy[1326]: worker 1329 started
apr 14 20:43:39 umox systemd[1]: Started PVE API Proxy Server.
apr 14 20:45:50 umox systemd[1]: Stopping PVE API Proxy Server...
apr 14 20:45:51 umox pveproxy[1326]: received signal TERM
apr 14 20:45:51 umox pveproxy[1326]: server closing
apr 14 20:45:51 umox pveproxy[1329]: worker exit
apr 14 20:45:51 umox pveproxy[1327]: worker exit
apr 14 20:45:51 umox pveproxy[1328]: worker exit
apr 14 20:45:51 umox pveproxy[1326]: worker 1329 finished
apr 14 20:45:51 umox pveproxy[1326]: worker 1327 finished
apr 14 20:45:51 umox pveproxy[1326]: worker 1328 finished
apr 14 20:45:51 umox pveproxy[1326]: server stopped
apr 14 20:45:52 umox systemd[1]: pveproxy.service: Succeeded.
apr 14 20:45:52 umox systemd[1]: Stopped PVE API Proxy Server.
apr 14 20:45:52 umox systemd[1]: pveproxy.service: Consumed 2.614s CPU time.
apr 14 20:45:52 umox systemd[1]: Starting PVE API Proxy Server...
apr 14 20:45:53 umox pveproxy[2672]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interface.
apr 14 20:45:53 umox pveproxy[2673]: starting server
apr 14 20:45:53 umox pveproxy[2673]: starting 3 worker(s)
apr 14 20:45:53 umox pveproxy[2673]: worker 2674 started
apr 14 20:45:53 umox pveproxy[2673]: worker 2675 started
apr 14 20:45:53 umox pveproxy[2673]: worker 2676 started
apr 14 20:45:53 umox systemd[1]: Started PVE API Proxy Server.
apr 15 00:00:06 umox systemd[1]: Reloading PVE API Proxy Server.
apr 15 00:00:07 umox pveproxy[43623]: send HUP to 2673
apr 15 00:00:07 umox pveproxy[2673]: received signal HUP
apr 15 00:00:07 umox pveproxy[2673]: server closing
apr 15 00:00:07 umox pveproxy[2673]: server shutdown (restart)
apr 15 00:00:07 umox systemd[1]: Reloaded PVE API Proxy Server.
apr 15 00:00:08 umox pveproxy[2673]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interface.
apr 15 00:00:08 umox pveproxy[2673]: restarting server
apr 15 00:00:08 umox pveproxy[2673]: starting 3 worker(s)
apr 15 00:00:08 umox pveproxy[2673]: worker 43665 started
apr 15 00:00:08 umox pveproxy[2673]: worker 43666 started
apr 15 00:00:08 umox pveproxy[2673]: worker 43667 started
apr 15 00:00:13 umox pveproxy[2674]: worker exit
apr 15 00:00:13 umox pveproxy[2676]: worker exit
apr 15 00:00:13 umox pveproxy[2675]: worker exit
apr 15 00:00:13 umox pveproxy[2673]: worker 2674 finished
apr 15 00:00:13 umox pveproxy[2673]: worker 2675 finished
apr 15 00:00:13 umox pveproxy[2673]: worker 2676 finished
lines 400-450/450 (END)
 
that does look okay. does the output of openssl x509 -in /etc/pve/local/pveproxy-ssl.pem -noout -text look sensible?
 
fabian said:
that does look okay. does the output of openssl x509 -in /etc/pve/local/pveproxy-ssl.pem -noout -text look sensible?
Click to expand...
I have compared the result with other proxmox that I manage, there seems to be no difference to say that there is an error.
 
do you have some kind of reverse proxy in between? is the system in question part of a cluster?
 
no, it's a server at one of our sites, there are no proxies or anything, this problem occurred when I applied for the new let'encrypt certificate which couldn't be renewed... I was accessing it until just before renewing the certificate.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back