ACME DNS plugin he (hurricane electric) not working

[pcmike]

It seems the ACME DNS plugin he for hurricane electric is broken. It only has a field for "api" which HE doesn't actually have. If you look on the acme.sh GitHub page explaining how it auth's with he.. it mentions exporting HE_Username and HE_Password, however I've tried putting these values in the "api" field within Proxmox every which way and none of the ways result in the dns plugin authing with hurricane electric. I've done a few searches on this subject, but came up empty handed.. I'm guessing HE is not a very popular DNS provider. Any ideas how I can get the dns plugin within Proxmox to auth with HE? Thank you.

 

[t.lamprecht]

Hi,

not all ACME providers got a schema definition in our wrapper, we provided it for well known ones (from our POV) and user requested or contributed ones. HE hasn't any schema as its not widely used in central Europe (where most developers are based) and no user requested or (better) contributed it yet.

https://git.proxmox.com/?p=proxmox-...dd5eef71d5a31216375bc970098bad76;hb=HEAD#l174

https://git.proxmox.com/?p=proxmox-...1cd115a765e1d1917733db84c21a6c952a441;hb=HEAD

If there's no schema configured our GUI falls back to a single text area that allows the user to input all variables themselves in a more manual way. See https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_certs_acme_dns_challenge

.. it mentions exporting HE_Username and HE_Password, however I've tried putting these values in the "api" field within Proxmox every which way and none of the ways result in the dns plugin authing with hurricane electric

What was the exact value you tried, well, with credential (but no other syntax!) censored?

They need to be written as KEY=VALUE pairs (one per line), without export or quotes IIRC.

 

[pcmike]

Please ignore me.. I was able to get it working without the $ and quotes. Thank you.

 

[wbk]

I've done a few searches on this subject, but came up empty handed.

I was able to get it working

I had the same problem, but luckily I did not come up empty handed. I found this here, https://xkcd.com/979/

Then I read your first post with some more attention, and saw the actual keys that I skipped on first reading. In hindsight, your post as well as the documentation are quite clear ;-)

So, for the next impatient reader, what I did for HE (that currently does not have an API, so acme.sh logs in using your own credentials):

• In datacenter, under the ACME heading:
  • Accounts --> Add, to create an account with Letsencrypt (I gave it the name of my node, free text, and chose the 'Staging' ACME-directory for initial testing; it takes a few seconds to register with Letsencrypt.
  • Challenge plugins --> Add, to configure the login for Hurricane Electric
    • Plugin ID: give it a nice name without spaces
    • Validation Delay: I let it at 30 seconds
    • DNS API: I chose HE here
    • API Data: single text field that accepts key=value pairs as described above and in the docs
      • HE_Username=myuser
      • HE_Password=myuserscomplicatedpassword
• Over to Nodes, under System--> Certificates
  • ACME --> Add, to set the challenge type (DNS) and the FQDN for the node
  • "Using Account:" --> Edit, chose the account created above --> Apply
  • "Order Certificates Now"
• No errors? Congratulations! But, there is no certificate yet (staging after al)
  • Go back to datacenter, add an account in the production (non-staging) ACME-directory
  • Return to nodes and reconfigure ACME, chosing the production account behind "Using Account:"
  • Rerun "Order Certificates Now"
• I got thrown out of my session upon reloading of the GUI, and Firefox did not approve of logging in via IP. Using the hostname it worked flawlessly now.

Thanks for your hints!

 

[dhardyuk]

• • Challenge plugins --> Add, to configure the login for Hurricane Electric
    • Plugin ID: give it a nice name without spaces
    • Validation Delay: I let it at 30 seconds
    • DNS API: I chose HE here
    • API Data: single text field that accepts key=value pairs as described above and in the docs
      • HE_Username=myuser
      • HE_Password=myuserscomplicatedpassword

I was too tired. The Validation Delay box has a suggestion of 30, in grey.




Its not really there. It wouldn't work, kept failing with this error:



How stoopid am I?

I typed 30 in the Validation Delay box. Its now black. Now it is really there.









Why would they leave the Add button active if the Validation Delay field is blank?

So hopefully this saves someone else from repeating my 'operator input error'

 

[t.lamprecht]

Why would they leave the Add button active if the Validation Delay field is blank?

That greyed out "30" means it's default if the Validation Delay is left blank, if that really was not applied and was the cause of the task failure then it'd be a bug.
In that case it would be great if you could report it over at https://bugzilla.proxmox.com/ to keep track of it.