ACME with NSUPDATE not working

radn

New Member
May 13, 2020
5
1
3
39
Hello,

i am trying to use LetsEncrypt certificates using Acme in Proxmox 6.2 with the new DNS verification. Specifically, I am trying to use nsupdate.

Following the instructions in [1] and the information in [2], I have created a new ACME challenge configuration in my Datacenter configuration, and have used the variables indicated in [2], in the form:

NSUPDATE_SERVER="ns1.mydomain.com"
NSUPDATE_KEY="/etc/pve/nsupdate.key"
NSUPDATE_ZONE="mydomain.com"

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management
[2] https://github.com/acmesh-official/acme.sh/wiki/dnsapi#7-use-nsupdate-to-automatically-issue-cert

When I try to order the certificate, I get the following error:

Loading ACME account details
Placing ACME order
The validation for proxmox.[MYDOMAIN] is pending!
[Wed May 13 13:09:13 CEST 2020] key "/etc/pve/nsupdate.key" is unreadable
[Wed May 13 13:09:13 CEST 2020] Error add txt for domain:_acme-challenge.[MYDOMAIN]
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup nsupdate proxmox.[MYDOMAIN]' failed: exit code 1


I have moved the nsupdate.key file to different locations, and have made it world-readable. I have even changed its owner to be "nobody" with group "nogroup", but since the command seems to drop all privileges, it fails to read the file no matter what I do or where it is located.

I have used nsupdate manually with that same nsupdate.key file, and I can see that it does update my remote DNS. So either I am doing something wrong here, or the way that the ACME implementation in Proxmox tries to do nsupdate does not work and this may be a bug.

Any help would be appreciated! Thank you very much in advance!
 
  • Like
Reactions: lexxai

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
6,719
1,173
164
thanks for reporting! seems like the nsupdate api requires some special handling - could you file a bug at https://bugzilla.proxmox.com for easier tracking, and we'll see what we can do about supporting it properly.
 

lexxai

New Member
Aug 28, 2020
2
0
1
44
I copy key file to NFS common disk, for cluster nodes, and change mode as
chmod 644 ns-update.key
NSUPDATE_KEY=/mnt/pve/cluster/nskey/ns-update.key
And now ACME certificate with DNS plugin nsupdate - updated successfully.

on /etc/pve user can't change not mode of file not ownership of file.
script runned as nobody:nogroup
 
Last edited:

ariejan

New Member
Jul 14, 2021
4
0
1
41
Hope I'm not kicking a dead horse, but you need to remote the quotes from the value: NSUPDATE_KEY=/etc/pve/nsupdate.key
 

Hyacin

New Member
May 6, 2020
26
3
3
41
I had a similar issue and had to remove 'export' from the front of the variables specified in the acme.sh docs ...

e.g.

NSUPDATE_KEY=/mnt/pve/cephfs/nsupdate.key

instead of -

export NSUPDATE_KEY=/mnt/pve/cephfs/nsupdate.key

I changed and tried a few things in a short period (all suggested here - removing the quotes, and moving the key out of /etc/pve), but I think removing export is what did it.
 

TonyArr

New Member
Oct 27, 2021
5
0
1
Sorry for bumping an old thread, but did anyone end up getting this working?
I'm trying to get a certificate for a server that has no open ports to the wider internet, but my external name server will happily take nsupdate input.

Sadly, I'm getting the same "key unreadable" error when I try to get a certificate
 

radn

New Member
May 13, 2020
5
1
3
39
@TonyArr, last time I tried this following suggestions from the comments on the forum it did not work for me with the scripts included with proxmox. So I used a different script that replaces the one provided by Proxmox, which works for me. I have a cron job that warns me if the script changes.

I will upload this later.
 

TonyArr

New Member
Oct 27, 2021
5
0
1
@TonyArr, last time I tried this following suggestions from the comments on the forum it did not work for me with the scripts included with proxmox. So I used a different script that replaces the one provided by Proxmox, which works for me. I have a cron job that warns me if the script changes.

I will upload this later.
Thanks, I use dehydrated on my existing systems, but figured since I'm using proxmox to replace those systems I'd try get it to handle everything I can with it's built in tools. Guess I'll bring my dehydrated configs over as well.
I'd love to see your script still, see if there's anything I'm doing that yours does better, which is likely since all my existing stuff is pretty hodge-podge. Seeing how you wrap it into Proxmox would be very useful too, when you get the time! :)
 

radn

New Member
May 13, 2020
5
1
3
39
I have attached the scripts here. I had to add ".txt" at the end so they could be uploaded.

  • dns_nsupdate.sh.modified is located in /usr/share/proxmox-acme/dnsapi/
  • check_dns_nsupdate.sh is located in /root/, and is invoked every night via cron, with an entry like the following one:
    00 10 * * * /root/check_dns_nsupdate.sh
 

Attachments

  • dns_nsupdate.sh.modified.txt
    3.4 KB · Views: 0
  • check_dns_nsupdate.sh.txt
    782 bytes · Views: 0

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!