ACME max certificate

Z

zolitacs

Member
Jun 10, 2021
15
1
6
39
Hello!

I downloaded and started using the Proxmox Mail Gateway 8.1 software.
In the Configuration/Certificates menu, ACME has 5 domains created and it won't let me add more, but I don't get any error messages. Is this a bug or a limitation of the free version?

Best regards,
Zoltan
 
Hi,

zolitacs said:
Is this a bug or a limitation of the free version?
Click to expand...
first of, there are no limitation, regardless of subscription - you always get the exact same functionality with and without subscription. :)

Regarding this problem, looking at the code, this is unfortunately a hard-coded limitation (for now), as it seems: https://git.proxmox.com/?p=proxmox-...70d4128b7ffe3a04f70b4654e1b092d;hb=HEAD#l1165
I don't see a particular reason as to why this should not be increasable.

Also, there is an error message logged in the browser console, but it really should show a proper error to the user.

Would you mind creating an entry in our bugtracker for that? https://bugzilla.proxmox.com/
That way, you can also get notified when something is fixed/implemented.
 
  • Like
Reactions: Johannes S
/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
in this file I replaced
acmedomain_count: 5 with acmedomain_count: 50,
and replaced
for (let i = 0; i < Proxmox.Utils.acmedomain_count; i++) {
with
for (let i = 0; i < 50; i++) {

I restarted the pmgproxy service and now ACME accepts the 6th domain as well.
 
  • Like
Reactions: Vasily
I was able to successfully add 6 domains to the ACME list, but the following error message appears on the 7th:

1738159768528.png
 
I had the same problem. Is there a way to work around this until the fix is released?
Regards, Kornel
 
zolitacs said:
/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
in this file I replaced
acmedomain_count: 5 with acmedomain_count: 50,
and replaced
for (let i = 0; i < Proxmox.Utils.acmedomain_count; i++) {
with
for (let i = 0; i < 50; i++) {

I restarted the pmgproxy service and now ACME accepts the 6th domain as well.
Click to expand...
Thx for your share. In my case, i need to restart the pveproxy service.

root@pve:/usr/share/javascript/proxmox-widget-toolkit# netstat -nlp |grep -i 8006
tcp6 0 0 :::8006 :::* LISTEN 2806558/pveproxy
 
Last edited:
I also face the limit of 5 domains, very annoying.
I tried this:
"
/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
in this file I replaced
acmedomain_count: 5 with acmedomain_count: 20,
and replaced
for (let i = 0; i < Proxmox.Utils.acmedomain_count; i++) {
with
for (let i = 0; i < 20; i++) {
"
restarted pmg
but it had no effect in my system, i still can only list 5 domains - hope Proxmox will fix it.
 
Why do you need more than 5 domains? - Keep in mind that it is not necessary to have all domains that are sending/receiving mail through a PMG listed in the certificate!
* usually you point the MX record of the domain to the hostname of PMG - so it should be enough to list that
* additionally most e-mail servers will still send mails with TLS even if the hostname they use is not a match for the certificate SAN/CN
* the quarantine-links in the spam-reports of the users also only contain one single hostname (this one is configurable) so that should also not be an issue.
 
Stoiko Ivanov said:
Why do you need more than 5 domains? - Keep in mind that it is not necessary to have all domains that are sending/receiving mail through a PMG listed in the certificate!
* usually you point the MX record of the domain to the hostname of PMG - so it should be enough to list that
* additionally most e-mail servers will still send mails with TLS even if the hostname they use is not a match for the certificate SAN/CN
* the quarantine-links in the spam-reports of the users also only contain one single hostname (this one is configurable) so that should also not be an issue.
Click to expand...
That was also my solution, to point the MX record to PMG hostname on other domain. however it would be nice that each domain points to a MX record in its own domain.
 
Wecan-IT said:
That was also my solution, to point the MX record to PMG hostname on other domain. however it would be nice that each domain points to a MX record in its own domain.
Click to expand...
Why would this be nice? - At least in my experience it's nothing too common - and it does not help if you chose to change e-mail providers either

While dated - and maybe not too current - I still think the points in
https://www.ietf.org/rfc/rfc1912.txt
have some merit.

Apart from that I still think that mail flow has no issues even if the SAN's don't cover the hostname in the MX record - but would be glad to see an example where this is needed!
 
Stoiko Ivanov said:
Why would this be nice? - At least in my experience it's nothing too common - and it does not help if you chose to change e-mail providers either

While dated - and maybe not too current - I still think the points in
https://www.ietf.org/rfc/rfc1912.txt
have some merit.

Apart from that I still think that mail flow has no issues even if the SAN's don't cover the hostname in the MX record - but would be glad to see an example where this is needed!
Click to expand...
True, its not needed. I'll cut it down to one hostname in the certificate and change MX records of all hosted domains (8) to point to this one PMG hostname.
Thanks.
 
You must log in or register to reply here.
Top Bottom