ACME with custom ACME directory doesn't work

A

andli86

Member
Proxmox Subscriber
Jun 24, 2021
15
5
8
Norrköping, Sweden
Hi,

ACME with custom ACME disrectory doesn't work in PBS 3.2-2, with libproxmox-acme-plugins 1.5.1 installed.

Doesn't work with the cli method
Code: 
proxmox-backup-manager acme account register <account-name> <mail@example.com>
Here you can choose "Custom" but then the script hangs (I waited 2-3 minutes before stop the script/job).

And also doesn't work via the WebGUI
1715767155869.png
In WebGUI isn't "Custom" even an option to choose from at all as ACME directory (only Let's Encrypt options exists).
 
something seems broken there indeed. but you can pass --directory <URL> on the CLI, that should work.

edit: after choosing custom, you need to input the directory url and press enter. there should probably be some output indicating that ;)
 
Last edited:
  • Like
Reactions: andli86
fabian said:
something seems broken there indeed. but you can pass --directory <URL> on the CLI, that should work.

edit: after choosing custom, you need to input the directory url and press enter. there should probably be some output indicating that ;)
Click to expand...
Ok, I tried to follow this, and I came way longer than before.

I got to answer if I accept the terms and then input my EAB key id and EAB key.

But then it failed with a message, I also tried to add EAB key id and EAB key with and without quotation marks (see results below)...
  • Both EAB key id and EAB key is without quotation marks, gives this error "Error: Invalid byte 45, offset 39."
  • Both EAB key id and EAB key within quotation marks, gives this error "Error: Invalid byte 34, offset 0."
  • Only EAB key id within quotation marks, gives this error "Error: Invalid byte 45, offset 39."
  • Only EAB key within quotation marks, gives this error "Error: Invalid byte 34, offset 0."
  • When I remove a dash "-" from the EAB key (since I wasn't sure if if should be there or not), gives this error "Error: Encoded text cannot have a 6-bit remainder."
So the question is if my EAB key id and or EAB key is wrong some how (I will request new ones, but can take some days).
Or if there is an other issue with registering an ACME account?
 
Last edited:
the key is supposed to be base64 encoded (and both values are supposed to be entered without quotes).
 
  • Like
Reactions: andli86
I have now tested with several different Sectigo accounts, I get similar error all the times.
  • Error: Invalid byte 45, offset 21.
  • Error: Invalid byte 45, offset 39.
  • Error: Invalid byte 95, offset 33.
The Sectigo accounts that I use, works with out any problem in Proxmox VE 8.2 and also with certbot 2.10.0 via snapd.

An other thought is, could it be that I reuse Sectigo accounts? And that might not be allowed?
 
PVE uses different code for that.. is your key by chance base64 URL encoded, and not base64 encoded? (does it contain a '/' or not?)
 
Hi there!

This is completely annoying and actually unacceptable!
I write this because it works fine for PVE and not at all for PBS. But I can add more error messages to this thread:

Base64 encoding the key I use for PVE:
Code: 
Error: urn:ietf:params:acme:error:malformed: [External Account Binding] Invalid MAC on JWS request
Base64 encoding the KEY and KEY ID
Code: 
Error: urn:ietf:params:acme:error:malformed: [External Account Binding] The Key Identifier is invalid
 
Last edited:
  • Like
Reactions: andli86
I haven't tried this lately, still waiting for the patch for adding the prompt, I haven't seen it being fixed yet.
Also haven't tried with any new ACME account, I plan to install an second PBS server, will try it again then.
But that might take a couple of weeks, since I'm not working full time right now (and have other things also to do).
 
fabian said:
PVE uses different code for that.. is your key by chance base64 URL encoded, and not base64 encoded? (does it contain a '/' or not?)
Click to expand...
Missed to answer this, both my EAB Key ID and the EAB key does not contain any slash '/' character.
When I get the EAB Key ID and the EAB key from our CA it doesn't contain any '/' at all, I have a total of 30 different accounts (4 for pve, 1 for pbs, and 25 for other systems).
 
I've talked with the developers and we were able to reproduce it in the LAB. This resulted in the following workaround and it was successfully tested with an active account at Sectigo.

You will receive your key from the provider. Example:
Key from the provider:
Code: 
XgkYyQTXpqx7jx9Bb-BwemVyJGXAV_Reoa1JCOA4_Vas8j7JaRToOJl-jRfyI5a

Converted so that PBS can read it: (manually change the characters)
Code: 
XgkYyQTXpqx7jx9Bb+BwemVyJGXAV/Reoa1JCOA4/Vas8j7JaRToOJl+jRfyI5a

originalconverted
-+
_/

This will probably already be fixed in the next PBS update.
 
  • Like
Reactions: andli86
Hi,

I tried the suggested hack, first failing and the understood that I failed reading the instructions.
The second attempt was a success, when I did it right.

The first failed attempt, gave this error code.
Code: 
Attempting to register account with "https://acme.sectigo.com/v2/OV"...
Error: urn:ietf:params:acme:error:malformed: [External Account Binding] The Key Identifier is invalid
What I did to fail was to also convert the original characters in the Account-ID, this should not be converted.

So make sure to only convert the Key, for the hack to work (before the fix is released).

Thanks for solving this issue! Looking forward to the fix...
 
Ok, so the account creation worked.

How can/should I continue now?

I tried the WebGUI to fetch the certificate, and got this error "TASK ERROR: acme account 'default' does not exist".

I guess that there are an terminal command to do this, can you help with that (I have limited time, to check this for personal reasons).
 
andli86 said:
I tried the WebGUI to fetch the certificate, and got this error "TASK ERROR: acme account 'default' does not exist".
Click to expand...

If you create your account with:
Code: 
proxmox-backup-manager acme account register <account-name> <mail@example.com>
the account-name must be called default.
 
  • Like
Reactions: andli86
mariol said:
If you create your account with:
Code: 
proxmox-backup-manager acme account register <account-name> <mail@example.com>
the account-name must be called default.
Click to expand...
Thanks for the update!

I just tested with default as account name (just before I your comment about it).
And I can confirm that it worked, when I ordered a new ACME cert via the WebGUI. ;-)

So now it's just waiting for the fix to be published.
 
  • Like
Reactions: mariol
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back