ACME with NSUPDATE not working

[radn]

Hello,

i am trying to use LetsEncrypt certificates using Acme in Proxmox 6.2 with the new DNS verification. Specifically, I am trying to use nsupdate.

Following the instructions in [1] and the information in [2], I have created a new ACME challenge configuration in my Datacenter configuration, and have used the variables indicated in [2], in the form:

NSUPDATE_SERVER="ns1.mydomain.com"​

NSUPDATE_KEY="/etc/pve/nsupdate.key"​

NSUPDATE_ZONE="mydomain.com"​

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management
[2] https://github.com/acmesh-official/acme.sh/wiki/dnsapi#7-use-nsupdate-to-automatically-issue-cert

When I try to order the certificate, I get the following error:

Loading ACME account details​

Placing ACME order​

Order URL: https://acme-v02.api.letsencrypt.org/acme/order/47508406/3348689693​

​

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/4480961782'​

The validation for proxmox.[MYDOMAIN] is pending!​

[Wed May 13 13:09:13 CEST 2020] key "/etc/pve/nsupdate.key" is unreadable​

[Wed May 13 13:09:13 CEST 2020] Error add txt for domain:_acme-challenge.[MYDOMAIN]​

TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup nsupdate proxmox.[MYDOMAIN]' failed: exit code 1​

I have moved the nsupdate.key file to different locations, and have made it world-readable. I have even changed its owner to be "nobody" with group "nogroup", but since the command seems to drop all privileges, it fails to read the file no matter what I do or where it is located.

I have used nsupdate manually with that same nsupdate.key file, and I can see that it does update my remote DNS. So either I am doing something wrong here, or the way that the ACME implementation in Proxmox tries to do nsupdate does not work and this may be a bug.

Any help would be appreciated! Thank you very much in advance!

 

[fabian]

thanks for reporting! seems like the nsupdate api requires some special handling - could you file a bug at https://bugzilla.proxmox.com for easier tracking, and we'll see what we can do about supporting it properly.

 

[radn]

I have added this as an issue in the bugzilla tracker: https://bugzilla.proxmox.com/show_bug.cgi?id=2739

 

[lexxai]

I copy key file to NFS common disk, for cluster nodes, and change mode as
chmod 644 ns-update.key
NSUPDATE_KEY=/mnt/pve/cluster/nskey/ns-update.key
And now ACME certificate with DNS plugin nsupdate - updated successfully.

on /etc/pve user can't change not mode of file not ownership of file.
script runned as nobody:nogroup

 

[ariejan]

Hope I'm not kicking a dead horse, but you need to remote the quotes from the value: NSUPDATE_KEY=/etc/pve/nsupdate.key

 

[Hyacin]

I had a similar issue and had to remove 'export' from the front of the variables specified in the acme.sh docs ...

e.g.

NSUPDATE_KEY=/mnt/pve/cephfs/nsupdate.key

instead of -

export NSUPDATE_KEY=/mnt/pve/cephfs/nsupdate.key

I changed and tried a few things in a short period (all suggested here - removing the quotes, and moving the key out of /etc/pve), but I think removing export is what did it.

 

[TonyArr]

Sorry for bumping an old thread, but did anyone end up getting this working?
I'm trying to get a certificate for a server that has no open ports to the wider internet, but my external name server will happily take nsupdate input.

Sadly, I'm getting the same "key unreadable" error when I try to get a certificate

 

[radn]

@TonyArr, last time I tried this following suggestions from the comments on the forum it did not work for me with the scripts included with proxmox. So I used a different script that replaces the one provided by Proxmox, which works for me. I have a cron job that warns me if the script changes.

I will upload this later.

 

[TonyArr]

@TonyArr, last time I tried this following suggestions from the comments on the forum it did not work for me with the scripts included with proxmox. So I used a different script that replaces the one provided by Proxmox, which works for me. I have a cron job that warns me if the script changes.

I will upload this later.

Thanks, I use dehydrated on my existing systems, but figured since I'm using proxmox to replace those systems I'd try get it to handle everything I can with it's built in tools. Guess I'll bring my dehydrated configs over as well.
I'd love to see your script still, see if there's anything I'm doing that yours does better, which is likely since all my existing stuff is pretty hodge-podge. Seeing how you wrap it into Proxmox would be very useful too, when you get the time!

 

[radn]

Basically, I followed the instructions set put here [1]

[1] https://bugzilla.proxmox.com/show_bug.cgi?id=2739#c2

I will paste or attach the script itself and the crontab as soon as I can extract them, so they can also be found here.

 

[radn]

I have attached the scripts here. I had to add ".txt" at the end so they could be uploaded.

• dns_nsupdate.sh.modified is located in /usr/share/proxmox-acme/dnsapi/
• check_dns_nsupdate.sh is located in /root/, and is invoked every night via cron, with an entry like the following one:
  00 10 * * * /root/check_dns_nsupdate.sh

 

[CanadaGuy]

I had a post but I deleted it because I interpreted the instructions incorrectly. My interpretation was that "my.key" in the step cat my.key | base64 -w 0 was the secret itself without the rest of the TSIG key file formatting. For future readers, to use these scripts you need the base64 encode of the TSIG key file itself that should look something like this:

key "proxmoxdns" {
        algorithm hmac-sha512;
        secret "+YFmSvlP5J8ofrHFZX+qd2ZqpTvIOc3==";
};

 

[CanadaGuy]

Just got an email today from the server. If you are using this modification, a recent patch reverts the changes for this fix. If you aren't using the example script to check and restore the fix, you might need to check your server.

 

[Hyacin]

I'm not sure if or how this was working for me, but the 'like' I put above at some point in the past indicates I've clearly been here before! :-/

I was using a key on my cephfs but I just ripped out ceph a month or so ago and forgot about the key! Cert update failures began today, lol.

I tried a couple other locations in the fs and got the "not found" error that led me (back) to this thread ... so I've modified my dns_nsupdate.sh script as instructed and replaced the key in my acme config with the base64 encoded version, but now I'm getting -

[Fri Apr 21 02:51:40 EDT 2023] key a2V5ICJkZ<redacted>jsKfTsK is unreadable

?!??

Stumped. But it's also 3 AM so that could have something to do with it.

Any input would be greatly appreciated!

I did verify all the dns_nsupdate.sh scripts on ALL my nodes have been updated to the version with the _dbase64 modification :-/

Edit: Ah! Got it! I missed the "Change "_checkKeyFile" to return immediately." instruction. Working now.

Still wonder how I saw this thread before but managed to use a key file on the system subsequent to that though

 

[radn]

I will add a comment to the original bug [1] to see of the changes can be integrated into Proxmox, so we could avoid needing the script to replace the Proxmox-provided nsupdate script with the modified one after Proxmox updates.

[1] https://bugzilla.proxmox.com/show_bug.cgi?id=2739#c2

 

[oisteink]

For anyone still wondering - just put the key-file in /usr/local/share or similar and give o+r permissions or chown to nobody:nogroup
Works like a charm. Is it secure to leave your key in the open? not very much.

To make user friendly split into key-name and secret field rather than keyfile.

 

[Snowdrift]

Thanks for that update - tsig key file location and permissions, worked for me.

I do have a further issue though.

NSUPDATE_ZONE= is supposed to be the --challengealias (CNAME support in stock acme.sh)
That is not working.

When I click "Order Certificates Now" I get.

Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/150394944/16906077234

Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12590219954'
The validation for pve.redacted.domain is pending!
[Sun Jun  2 01:32:46 AEST 2024] adding _acme-challenge.pve.redacted.domain. 60 in txt "tcTffmt4qgLOSn1zi3ljIuT5k-IDUNJpNOLHTdJAqTc"
update failed: NOTZONE
[Sun Jun  2 01:32:46 AEST 2024] error updating domain
[Sun Jun  2 01:32:46 AEST 2024] Error add txt for domain:_acme-challenge.pve.redacted.domain
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup nsupdate pve.redacted.domain' failed: exit code 1

The issue here is that redacted.domain reported above is not DDNS, so it cannot create the TXT record.
This is where the NSUPDATE_ZONE= comes in. I have it set to NSUPDATE_ZONE=ddns.other.domain
That zone is a ddns updateable zone.

I do have this _acme-challenge.pve.redacted.domain. CNAMEd to _acme-challenge.ddns.other.domain
I have this setup working on OPNsense and other native installs of acme.sh

What should happen is when NSUPDATE_ZONE= is populated, then the TXT record for _acme-challenge is not created in the "domain" configure, but it is configured as TXT in _acme-challenge.ddns.other.domain.
Then, with the CNAME in place, Domain Validation can occur via a lookup of "_acme-challenge." + the certificate domain to the TXT record of _acme-challenge.ddns.other.domain

It seems straight forward that populating NSUPDATE_ZONE= should do the trick.

EDIT: The proxmox-acme version of dnsapi/dns_nsupdate.sh is identical to the current acme.sh 3.0.8
So it is something to do with NSUPDATE_ZONE= not being passed through.
So far I can see that the proxmox-acme is a cutdown version of the acme.sh version, and a bunch of things are bypassed and added in via a "setup" function.
The above "TASK ERROR: command" clearly shows the the ddns zone not being provided to proxmox-acme on the command line.

EDIT2: Ok, got it working.
The Proxmox ACME build assumes the domain you are adding the certificate for is also DDNS capable. Which technically means there is no need to populate the NSUPDATE_ZONE= field in the GUI. In the current Proxmox build (8.2.2) this field is being ignored.
Since the DNS-01 protocol allows for the Alias-Challenge (Domain), then this is a short coming.

In /usr/share/proxmox-acme/proxmox-acme functions setup() and teardown() there is a call to _load_plugin_config.
The _load_plugin_config needs to be called before the fqdn= variable is set.

In file : /usr/share/proxmox-acme/proxmox-acme

808c808
<   fqdn="_acme-challenge.$2"
---
>   # fqdn="_acme-challenge.$2"   ;# Moved after _load_plugin_config
814a815,820
>   if [ -z "${NSUPDATE_ZONE}" ]; then
>     fqdn="_acme-challenge.$2"
>   else 
>     fqdn="_acme-challenge.${NSUPDATE_ZONE}"
>   fi
> 
835c841
<   fqdn="_acme-challenge.$2"
---
>   # fqdn="_acme-challenge.$2"   ;# Moved after _load_plugin_config
839a846,851
> 
>   if [ -z "${NSUPDATE_ZONE}" ]; then
>     fqdn="_acme-challenge.$2"
>   else 
>     fqdn="_acme-challenge.${NSUPDATE_ZONE}"
>   fi

I borrowed the "if [ -z "${NSUPDATE_ZONE}" ]; then" from the dns_plugin file /usr/share/proxmox-acme/dnsapi/dns_nsupdate.sh
The dns_nsupdate.sh is the standard file, and since it matched the plugin from acme.sh 3.0.8 (current as of today), then best not to change that one.

I have tested, and a certificate is issued via the ddns domain validation.
There are some anomalies in the output though.
In the example below - only the 2 BOLD lines (with dates) are output by the proxmox-acme script, the rest comes from some other wrapping script.
Therefore it still says it is adding/removing thge TXT record from the certificate domain.

Header
Proxmox
Virtual Environment 8.2.2
Node 'pve'
Using Account:
Staging
Logs
Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/150394944/16906077234

Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12590219954'
The validation for pve.redacted.domain is pending!
[Sun Jun  2 15:59:49 AEST 2024] adding _acme-challenge.ddns.other.domain. 60 in txt "tcTffmt4qgLOSn1zi3ljIuT5k-IDUNJpNOLHTdJAqTc"
Add TXT record: _acme-challenge.pve.redacted.domain
Sleeping 30 seconds to wait for TXT record propagation
Triggering validation
Sleeping for 5 seconds
Status is still 'pending', trying again in 10 seconds
Status is 'valid', domain 'pve.redacted.domain' OK!
[Sun Jun  2 16:00:37 AEST 2024] removing _acme-challenge.ddns.other.domain. txt
Remove TXT record: _acme-challenge.pve.redacted.domain

All domains validated!

Creating CSR
Checking order status
Order is ready, finalizing order
valid!

Downloading certificate
Setting pveproxy certificate and key
Restarting pveproxy
TASK OK

But, hey - it works.

So with the tsig key file in a place and a permission that can be read AND the proxmox-acme patch, then this process works.
I'll go and create a bugzilla now.

 

[MyXelf]

Hi:

For people still bumping with this. Proxmox 8.1.4 (but should work in others versions too).

Placing the TSIG key in /etc/ddns-update.key works flawlessly. Not even is needed to change the ownership of the file to nobody:nogroup.

-rw-r--r-- 1 root root ddns-update.key

As stated before, there are other places where you can place the key (i.e. /usr/share/proxmox-acme/ level).

I think this could be clarified (the possible locations of the key file) in the Proxmox documentation. There is a lack of info regarding the ns_update plugin and the threads available almost suggest the only solution is to modify the ACME source code at the system level. Which is a problem to keep up to date with new updates.

The other thing that would be convenient IMHO is to be able to place the key for example in /etc/pve/ path. This would make the key available to all nodes in a cluster environment.

HTH