ACME-DNS with IONOS: failing to renew certificate

[pboe]

Hi,
renewing of our let's encrypt certificates worked flawlessly until now.
Any ideas what could have changed with the recent updates towards PVE 7.2

root@jupiter2:~# pvenode acme cert renew
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/*********/***********

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/************'
The validation for ***.******.net is pending!
[Wed Jun 8 15:05:24 CEST 2022] Error add txt for domain:_acme-challenge.***.******.net'
command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup ionos ***.******.net' failed: exit code 1
Task command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup ionos ***.******.net'' failed: exit code 1


Package versions:
proxmox-ve: 7.2-1 (running kernel: 5.15.35-1-pve) pve-manager: 7.2-4 (running version: 7.2-4/ca9d43cc) pve-kernel-5.15: 7.2-3 pve-kernel-helper: 7.2-3 pve-kernel-5.13: 7.1-9 pve-kernel-5.11: 7.0-10 pve-kernel-5.15.35-1-pve: 5.15.35-3 pve-kernel-5.15.30-2-pve: 5.15.30-3 pve-kernel-5.13.19-6-pve: 5.13.19-15 pve-kernel-5.13.19-2-pve: 5.13.19-4 pve-kernel-5.11.22-7-pve: 5.11.22-12 pve-kernel-5.11.22-4-pve: 5.11.22-9 ceph-fuse: 15.2.14-pve1 corosync: 3.1.5-pve2 criu: 3.15-1+pve-1 glusterfs-client: 9.2-1 ifupdown2: 3.1.0-1+pmx3 ksm-control-daemon: 1.4-1 libjs-extjs: 7.0.0-1 libknet1: 1.22-pve2 libproxmox-acme-perl: 1.4.2 libproxmox-backup-qemu0: 1.3.1-1 libpve-access-control: 7.2-1 libpve-apiclient-perl: 3.2-1 libpve-common-perl: 7.2-2 libpve-guest-common-perl: 4.1-2 libpve-http-server-perl: 4.1-2 libpve-storage-perl: 7.2-4 libspice-server1: 0.14.3-2.1 lvm2: 2.03.11-2.1 lxc-pve: 4.0.12-1 lxcfs: 4.0.12-pve1 novnc-pve: 1.3.0-3 proxmox-backup-client: 2.2.1-1 proxmox-backup-file-restore: 2.2.1-1 proxmox-mini-journalreader: 1.3-1 proxmox-widget-toolkit: 3.5.1 pve-cluster: 7.2-1 pve-container: 4.2-1 pve-docs: 7.2-2 pve-edk2-firmware: 3.20210831-2 pve-firewall: 4.2-5 pve-firmware: 3.4-2 pve-ha-manager: 3.3-4 pve-i18n: 2.7-2 pve-qemu-kvm: 6.2.0-8 pve-xtermjs: 4.16.0-1 qemu-server: 7.2-3 smartmontools: 7.2-pve3 spiceterm: 3.2-2 swtpm: 0.7.1~bpo11+1 vncterm: 1.7-1 zfsutils-linux: 2.1.4-pve1

 

[fabian]

seems like a bug in acme.sh:

https://github.com/acmesh-official/acme.sh/issues/4090
https://github.com/acmesh-official/acme.sh/pull/4102

you can probably apply the fix to /usr/share/proxmox-acme/dnsapi/dns_ionos.sh (reinstalling libproxmox-acme-plugins will revert to the stock version) as a workaround, until we do the next sync of DNS plugins..

 

[richii]

We have the same issue with the IONOS DNS API.
Unfortunately, replacing the /usr/share/proxmox-acme/dnsapi/dns_ionos.sh file with the one from the pull request (https://github.com/acmesh-official/acme.sh/pull/4102) didn't work for us, it only changed the problem.
The DNS TXT record is now correctly created and cleaned up, however the task still fails with a different error message:

Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxxxxx/xxxxxxxxxxx

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxxxxxxx'
The validation for host.domain.tld is pending!
[Fri Jun 10 11:36:35 CEST 2022] TXT record has been created successfully.
Add TXT record: _acme-challenge.host.domain.tld
Sleeping 120 seconds to wait for TXT record propagation
Triggering validation
[Fri Jun 10 11:38:42 CEST 2022] TXT record has been deleted successfully.
Remove TXT record: _acme-challenge.host.domain.tld
TASK ERROR: failed to execute POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxxxxxxxxxxx/x_Ur-Q: http request failed: https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxxxxxxxxxxx/x_Ur-Q: status code 400

 

[pboe]

Hi Fabian,
thanks for the quick response.
Replacing /usr/share/proxmox-acme/dnsapi/dns_ionos.sh
with
https://raw.githubusercontent.com/acmesh-official/acme.sh/master/dnsapi/dns_ionos.sh
solved the problem in our case.

 

[fabian]

We have the same issue with the IONOS DNS API.
Unfortunately, replacing the /usr/share/proxmox-acme/dnsapi/dns_ionos.sh file with the one from the pull request (https://github.com/acmesh-official/acme.sh/pull/4102) didn't work for us, it only changed the problem.
The DNS TXT record is now correctly created and cleaned up, however the task still fails with a different error message:

Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxxxxx/xxxxxxxxxxx

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxxxxxxx'
The validation for host.domain.tld is pending!
[Fri Jun 10 11:36:35 CEST 2022] TXT record has been created successfully.
Add TXT record: _acme-challenge.host.domain.tld
Sleeping 120 seconds to wait for TXT record propagation
Triggering validation
[Fri Jun 10 11:38:42 CEST 2022] TXT record has been deleted successfully.
Remove TXT record: _acme-challenge.host.domain.tld
TASK ERROR: failed to execute POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxxxxxxxxxxx/x_Ur-Q: http request failed: https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxxxxxxxxxxx/x_Ur-Q: status code 400

that sounds like an altogether different problem.. you could check the challenge / authz URLs, maybe there is some hint there..

 

[richii]

I forgot to mention that we have this issue on a Proxmox Mail Gateway Server, not a Proxmox VE.
Maybe there are additional steps needed to solve this?
We tested this on two different servers, and the issue is exactly the same:
- Before replacing the dns_ionos.sh file we get the TXT creation error
- After replacing the file, we get the HTTP 400 error (bad request)
Before IONOS changed it's DNS API to 1.0.1 everything was working.

EDIT:
It seems it was a temporary problem on the Let's Encrypt side.
After trying the renewal again to get the responses from challenge / authz URLs, everything just started working.

 

[proxuser43]

Hi, all / Hi @richii - Is there any other change you did to make this work? I have the same problem: cannot issue certs using google dns plugin on Proxmox Mail Gateway Server - HTTP 400 error

I get this error only on "prod Let's Encrypt env".. it works just fine on staging env.

 

[richii]

Hi @proxuser43,

No, it solved itself while I were trying to debug it. In my testing I had the same error on a different server on a different site, so I figured it had to be some kind of LE Server / IONOS Plug-in problem.
A few hours later everything just started working.

 

[spvedula]

I am still having this issue. Any help appreciated. It worked perfectly fine on OpnSense. so I am guessing no issues on LetsEncrypt side.

 

[spvedula]

This is resolved. At Datacenter > ACME > Plugin > dns-ionos, I had extra double-quotes that I missed seeing. that caused the issue.

 

[Stephan4711]

is this really solved? I tried douzend of diffrent way to enter the api key.
I can't find a site which is describing who to set the api key correctly

 

[Tombot]

is this really solved? I tried douzend of diffrent way to enter the api key.
I can't find a site which is describing who to set the api key correctly

I was looking for this too, this works for me now.

You need to add under API DATA:
IONOS_PREFIX = <XXXXXXX> IONOS_SECRET = <XXXXXXX>

 

[dleidert]

I stumbled upon this too. I received the error

"Cannot find this domain in your IONOS account"

. After removing the quotes around the API data, it worked.

 

[Torsten Gruner]

After removing the quotes around the API data, it worked.

I can confirm that. That's how it works for me, too.