ACME over DNSChallenge failing

[cgshomelab]

Good morning everyone,

First, I am sorry if this post is misplaced.
I started a few weeks ago with Proxmox, and I have been trying to add an HTTPS cert for the Web interface, I own an OVH domain, so I have done the following steps:

* Create the subdomain, so proxmox.*.*
* Create the API
* Get the Application Key, Application Secret and the Consumer Key

> I have been following this guide.

On the Proxmox side, I create the user and the plugin as on the guide is set up. But when I run the pvenode acme cert order it fails with the following output:

TASK ERROR: ACME account config file 'default' does not exist.

Is there anything on the configuration side that I haven't done yet?
Isn't the first time that I set up something with DNSChallenge and in the past it worked quiet good

 

[fabian]

you need to register an account with Let's Encrypt (as described in the linked documentation).

 

[macleod]

Related question: I wish to use the nsupdate plugin with dns alias challenges, which is perfectly working with acme.sh, but I really cannot understand how to implement this in proxmox interface. I see only "API Data" when selecting "nsupdate" DNS API.

Or in my case the best solution will be to set up LE outside proxmox software and just update the certificates and reload/restart the services ?

 

[cgshomelab]

you need to register an account with Let's Encrypt (as described in the linked documentation).

Hi Fabian,

Correct me if I am wrong, but that would imply going to datacenter>ACME>Accounts>Add , right? I have added two accounts (for prod and test) and both are being created correctly.

Then I go to one of my nodes>System>certificates, I create the subdomain, add the account and click Order Certificates Now, but I still get the same error from my first post.

 

[fabian]

Hi Fabian,

Correct me if I am wrong, but that would imply going to datacenter>ACME>Accounts>Add , right? I have added two accounts (for prod and test) and both are being created correctly.

Then I go to one of my nodes>System>certificates, I create the subdomain, add the account and click Order Certificates Now, but I still get the same error from my first post.

could you post the output of pvenode config get please?

 

[fabian]

Related question: I wish to use the nsupdate plugin with dns alias challenges, which is perfectly working with acme.sh, but I really cannot understand how to implement this in proxmox interface. I see only "API Data" when selecting "nsupdate" DNS API.

Or in my case the best solution will be to set up LE outside proxmox software and just update the certificates and reload/restart the services ?

sure, you can use whatever ACME client you want - just make sure to configure it to put the cert+key into /etc/pve/local/pveproxy-ssl.pem / /etc/pve/local/pveproxy-ssl.key , and not /etc/pve/local/pve-ssl.(pem|key), and optionally, to reload pveproxy.

 

[cgshomelab]

could you post the output of pvenode config get please?

 

[fabian]

you don't have any account configured for this node, so it will assume you want to use one named 'default', but no such account exists. if you have registered an account, you need to select (and confirm) it in the GUI -> Node -> Certificates -> ACME 'Using Account'

 

[cgshomelab]

you don't have any account configured for this node, so it will assume you want to use one named 'default', but no such account exists. if you have registered an account, you need to select (and confirm) it in the GUI -> Node -> Certificates -> ACME 'Using Account'

Yes, that's what I am doing, so


Having configured this way, when I press the Order Certificates Now it still gets the same error

 

[cgshomelab]

It looks like if creating an account called default, works just fine. The thing that I don't understand is why when I choose a "custom" account it fails.

Thanks for your time

 

[fabian]

did you press the check-mark to confirm the change?

 

[cgshomelab]

Oh god... I didn't see that one comes. Well the UI isn't familiar for me at least yet... Thanks for pointing out the check-mark...

Sorry for the time lost on this issue

 

[fabian]

no worries - it's not the most straight-forward one maybe it would help to mark the not-yet-applied value more obviously as pending? @dcsapak

 

[cosmicvibes]

did you press the check-mark to confirm the change?

Ohhhhhhhhhhhhhhhhhhhhhhhhhhh. Thank you for stopping me wasting any more time on this!

 

[Mastuca]

took me a sweet time to find the checkmark - and then only after stumbling upon this in the forum

 

[rovingclimber]

no worries - it's not the most straight-forward one maybe it would help to mark the not-yet-applied value more obviously as pending? @dcsapak

I also just got tripped by this. The "tick" is a bad choice in the UI for this. In most UI a tick is used as feedback to the user, not seeking confirmation from the user. It's made worse, because it appears after you choose from a list, so it just looks like it's confirming you've made a choice and can move on to the next action. What it should, IMHO, be is a button marked "save" or similar, and the other interaction buttons shouldn't "ungrey" until you press it.

Just to add that while annoying, this is a small niggle in an otherwise excellent UI!

 

[iworx]

It seems we've all ran into that same tick-box. ¯\_(ツ)_/¯
That definitely wasn't clear to me.

 

[maciejb]

Fortunately, I've found this thread because I've also had a problem with registering domain in LE. In my mind I had that checkmark appeared because selected account is valid/active or whatever. I didn't realize I can click it.

 

[woodsb02]

I also didn't realise the checkmark was something that needed to be clicked in order to confirm the change - it looked to me like it was positively re-enforcing that the change to the selected account had been successful already!

 

[ddt]

Just here to join the chorus. Love the ACME implementation, hate the checkbox, thank goodness for this thread.