[SOLVED] ACME DNS Challenge via Netcup API not working (Proxmox VE 7.0)

M

merope

New Member
Aug 14, 2021
1
0
1
37
Hello,
i am trying to get a valid LE certificate via DNS for my proxmox host, machine is running in LAN.

My procedure was:
[ for Datacenter]
1. Adding LE Account in the ACME Plugin
- LE-Staging
- LE-Production

2. Adding a Challenge Plugin for Netcup
(Had to change the syntax from the acme.sh site that proxmox is not rejecting it)
NC_Apikey=++++
NC_Apipw=++++
NC_CID=++++
Validation Delay: 500

[For Node]
1. Ordered a Certificate via DNS with the mentioned Netcup-API-Plugin for proxmox.mydomain.eu with the LE-Staging account
Everything worked well
Loading ACME account details Placing ACME order Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/******/***** Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/*****' proxmox.*****.eu is already validated! All domains validated! Creating CSR Checking order status Order is ready, finalizing order valid! Downloading certificate Setting pveproxy certificate and key Restarting pveproxy TASK OK

2. Changed to LE-Production account for real certificate an got the following error
Loading ACME account details Placing ACME order Order URL: https://acme-v02.api.letsencrypt.org/acme/order/**** Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/*****' The validation for proxmox.*****.eu is pending!/*****' [Sat Aug 14 22:10:54 CEST 2021] Add TXT record: _acme-challenge.proxmox.****.eu Sleeping 500 seconds to wait for TXT record propagation Triggering validation bad Nonce, retrying Sleeping for 5 seconds [Sat Aug 14 22:19:25 CEST 2021] Remove TXT record: _acme-challenge.****.klugmann.eu TASK ERROR: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/****' failed - status: invalid

In my understanding the staged validation worked well but the real validation got the bad Nonce. Can someone help or lead in the right direction.
Help would be much appreciated.
Thank you
 
Usually the badNonce issue should be transient (this is why proxmox acme implementation retries this)

on a hunch does it work if you try it again after a while or does the bad Nonce error remain?
 
Please verify that the new TXT entry (should be visible in the netcup ccp's domain editor) has actually propagated through to the outer DNS servers (eg. check against the results from a dig @8.8.8.8 TXT _acme_challenge.yourdomain.tld) after those 500 seconds of wait time. One reason for an "invalid" status could be that the acme server still found the old staging value in there.
 
Still works in 2023, time timeout needs to be lot higher then the ttl of the netcup dns-zone. I had ttl of 60, but timeout needed to be 600 to make it work.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back