I’m encountering an issue with ACME certificate issuance via DNS API using Yandex 360 in the following stack:
Observed behavior:
Important observation:
It appears that the token is not being persisted or reused correctly between ACME stages. Each invocation of the plugin behaves as if no valid token exists.
Configuration:
https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_yandex360
Using the same credentials and domain, the standalone acme.sh client works flawlessly:
Assumptions / Questions:
Log of automatic certificate retrieval from PBS 4.1.10
Log with manual entry of the first code in ya.ru/device
- Proxmox Backup Server: 4.1.x (tested on 4.1.1, 4.1.5, 4.1.10)
- Proxmox VE: 8.4+ and 9.1+
- Datacenter Manager: 1.0.3
Observed behavior:
- During ACME order processing, the client initiates the Yandex 360 device authorization flow.
- After manually completing authorization via https://ya.ru/device, an access token is successfully obtained.
- However, on the next step (validation or subsequent API call), the client attempts to refresh the token and fails.
- As a result, it falls back to initiating a new device authorization flow again.
- This loop leads to failure when adding the _acme-challenge TXT record or during cleanup (teardown phase).
Important observation:
It appears that the token is not being persisted or reused correctly between ACME stages. Each invocation of the plugin behaves as if no valid token exists.
Configuration:
- DNS API: yandex360
- API credentials are set in Proxmox:
- YANDEX360_CLIENT_ID
- YANDEX360_CLIENT_SECRET
- YANDEX360_ORG_ID
https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_yandex360
Using the same credentials and domain, the standalone acme.sh client works flawlessly:
- Token is obtained once interactively
- Subsequent renewals are fully automatic
- No repeated authorization or token loss
Assumptions / Questions:
- Is Proxmox failing to persist the Yandex 360 token between plugin executions?
- Does /usr/share/proxmox-acme/proxmox-acme run the DNS plugin in a stateless way, causing token loss?
- Is there a known issue or limitation with the yandex360 plugin integration in Proxmox?
- Should the token be stored somewhere manually (e.g., environment or file), or is this expected to be handled automatically?
Log of automatic certificate retrieval from PBS 4.1.10
2026-04-27T02:59:37+03:00: Placing ACME order
2026-04-27T02:59:38+03:00: Order URL: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxxx/xxxxx
2026-04-27T02:59:38+03:00: Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz/xxxxxx/xxxxxxx'
2026-04-27T02:59:38+03:00: The validation for pbs.xxxx.com is pending
2026-04-27T02:59:38+03:00: Setting up validation plugin
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Using Yandex 360 DNS API
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Failed to refresh token. Will attempt to obtain a new one.
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] =========================================
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] NOTICE
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] =========================================
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Before using the Yandex 360 API, you need to complete an authorization procedure.
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] The initial access token is obtained interactively and is a one-time operation.
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Subsequent API requests will be handled automatically.
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] =========================================
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Initiating device authorization flow
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Please visit https://ya.ru/device and log in as an organization administrator
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Once logged in, enter the code: gdxyxitf on the page from the previous step
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Waiting for authorization...
2026-04-27T03:04:42+03:00: [Mon Apr 27 03:04:42 MSK 2026] Failed to get access token
2026-04-27T03:04:42+03:00: [Mon Apr 27 03:04:42 MSK 2026] Error add txt for domain:_acme-challenge.pbs.xxxxxxxx.com
2026-04-27T03:04:42+03:00: Sleeping 600 seconds to wait for TXT record propagation
2026-04-27T03:14:42+03:00: notified via target `mail-to-root`
2026-04-27T03:14:42+03:00: TASK ERROR: '/usr/share/proxmox-acme/proxmox-acme setup' exited with error (1)
2026-04-27T02:59:38+03:00: Order URL: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxxx/xxxxx
2026-04-27T02:59:38+03:00: Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz/xxxxxx/xxxxxxx'
2026-04-27T02:59:38+03:00: The validation for pbs.xxxx.com is pending
2026-04-27T02:59:38+03:00: Setting up validation plugin
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Using Yandex 360 DNS API
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Failed to refresh token. Will attempt to obtain a new one.
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] =========================================
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] NOTICE
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] =========================================
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Before using the Yandex 360 API, you need to complete an authorization procedure.
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] The initial access token is obtained interactively and is a one-time operation.
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Subsequent API requests will be handled automatically.
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] =========================================
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Initiating device authorization flow
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Please visit https://ya.ru/device and log in as an organization administrator
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Once logged in, enter the code: gdxyxitf on the page from the previous step
2026-04-27T02:59:38+03:00: [Mon Apr 27 02:59:38 MSK 2026] Waiting for authorization...
2026-04-27T03:04:42+03:00: [Mon Apr 27 03:04:42 MSK 2026] Failed to get access token
2026-04-27T03:04:42+03:00: [Mon Apr 27 03:04:42 MSK 2026] Error add txt for domain:_acme-challenge.pbs.xxxxxxxx.com
2026-04-27T03:04:42+03:00: Sleeping 600 seconds to wait for TXT record propagation
2026-04-27T03:14:42+03:00: notified via target `mail-to-root`
2026-04-27T03:14:42+03:00: TASK ERROR: '/usr/share/proxmox-acme/proxmox-acme setup' exited with error (1)
Log with manual entry of the first code in ya.ru/device
2026-04-27T10:39:46+03:00: Placing ACME order
2026-04-27T10:39:47+03:00: Order URL: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxx/xxxxxxx
2026-04-27T10:39:47+03:00: Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz/xxxxxx/xxxxxxxxxxxxxx'
2026-04-27T10:39:47+03:00: The validation for pbs.xxxxxxxx.com is pending
2026-04-27T10:39:47+03:00: Setting up validation plugin
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Using Yandex 360 DNS API
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Failed to refresh token. Will attempt to obtain a new one.
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] =========================================
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] NOTICE
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] =========================================
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Before using the Yandex 360 API, you need to complete an authorization procedure.
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] The initial access token is obtained interactively and is a one-time operation.
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Subsequent API requests will be handled automatically.
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] =========================================
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Initiating device authorization flow
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Please visit https://ya.ru/device and log in as an organization administrator
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Once logged in, enter the code: 3yxxq4ut on the page from the previous step
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Waiting for authorization...
2026-04-27T10:40:08+03:00: [Mon Apr 27 10:40:08 MSK 2026] Access token obtained successfully
2026-04-27T10:40:08+03:00: Sleeping 600 seconds to wait for TXT record propagation
2026-04-27T10:50:08+03:00: Triggering validation
2026-04-27T10:50:09+03:00: Sleeping for 5 seconds
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Using Yandex 360 DNS API
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Failed to refresh token. Will attempt to obtain a new one.
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] =========================================
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] NOTICE
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] =========================================
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Before using the Yandex 360 API, you need to complete an authorization procedure.
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] The initial access token is obtained interactively and is a one-time operation.
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Subsequent API requests will be handled automatically.
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] =========================================
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Initiating device authorization flow
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Please visit https://ya.ru/device and log in as an organization administrator
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Once logged in, enter the code: x5uu5hd6 on the page from the previous step
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Waiting for authorization...
2026-04-27T10:55:14+03:00: [Mon Apr 27 10:55:14 MSK 2026] Failed to get access token
2026-04-27T10:55:14+03:00: [Mon Apr 27 10:55:14 MSK 2026] Error add txt for domain:_acme-challenge.pbs.xxxxx.com
2026-04-27T10:55:14+03:00: Failed to teardown plugin 'yandex' for domain 'pbs.xxx
.com' - '/usr/share/proxmox-acme/proxmox-acme teardown' exited with error (1)
2026-04-27T10:55:14+03:00: All domains validated
2026-04-27T10:55:14+03:00: Creating CSR
2026-04-27T10:55:15+03:00: order is ready, finalizing
2026-04-27T10:55:22+03:00: valid
2026-04-27T10:55:22+03:00: Downloading certificate
2026-04-27T10:55:22+03:00: TASK WARNINGS: 1
2026-04-27T10:39:47+03:00: Order URL: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxx/xxxxxxx
2026-04-27T10:39:47+03:00: Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz/xxxxxx/xxxxxxxxxxxxxx'
2026-04-27T10:39:47+03:00: The validation for pbs.xxxxxxxx.com is pending
2026-04-27T10:39:47+03:00: Setting up validation plugin
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Using Yandex 360 DNS API
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Failed to refresh token. Will attempt to obtain a new one.
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] =========================================
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] NOTICE
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] =========================================
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Before using the Yandex 360 API, you need to complete an authorization procedure.
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] The initial access token is obtained interactively and is a one-time operation.
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Subsequent API requests will be handled automatically.
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] =========================================
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Initiating device authorization flow
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Please visit https://ya.ru/device and log in as an organization administrator
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Once logged in, enter the code: 3yxxq4ut on the page from the previous step
2026-04-27T10:39:47+03:00: [Mon Apr 27 10:39:47 MSK 2026] Waiting for authorization...
2026-04-27T10:40:08+03:00: [Mon Apr 27 10:40:08 MSK 2026] Access token obtained successfully
2026-04-27T10:40:08+03:00: Sleeping 600 seconds to wait for TXT record propagation
2026-04-27T10:50:08+03:00: Triggering validation
2026-04-27T10:50:09+03:00: Sleeping for 5 seconds
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Using Yandex 360 DNS API
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Failed to refresh token. Will attempt to obtain a new one.
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] =========================================
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] NOTICE
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] =========================================
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Before using the Yandex 360 API, you need to complete an authorization procedure.
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] The initial access token is obtained interactively and is a one-time operation.
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Subsequent API requests will be handled automatically.
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] =========================================
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Initiating device authorization flow
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Please visit https://ya.ru/device and log in as an organization administrator
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Once logged in, enter the code: x5uu5hd6 on the page from the previous step
2026-04-27T10:50:14+03:00: [Mon Apr 27 10:50:14 MSK 2026] Waiting for authorization...
2026-04-27T10:55:14+03:00: [Mon Apr 27 10:55:14 MSK 2026] Failed to get access token
2026-04-27T10:55:14+03:00: [Mon Apr 27 10:55:14 MSK 2026] Error add txt for domain:_acme-challenge.pbs.xxxxx.com
2026-04-27T10:55:14+03:00: Failed to teardown plugin 'yandex' for domain 'pbs.xxx
.com' - '/usr/share/proxmox-acme/proxmox-acme teardown' exited with error (1)
2026-04-27T10:55:14+03:00: All domains validated
2026-04-27T10:55:14+03:00: Creating CSR
2026-04-27T10:55:15+03:00: order is ready, finalizing
2026-04-27T10:55:22+03:00: valid
2026-04-27T10:55:22+03:00: Downloading certificate
2026-04-27T10:55:22+03:00: TASK WARNINGS: 1
