API data for Let's Encrypt dns-01 challenge using Azure

yobyot

New Member
Jan 19, 2023
5
2
3
Hello,

I can't seem to find any doc or description of the format for supplying "API data" to an ACME dns-01 challenge using the Azure plugin. I'm asking about the expected format of the parameters that need to be passed to the plugin via this dialog:

1.png

I tried using the CLI but it returns an empty object for the Azure plugin, as seen below. IOW, I have no idea how to format a JSON object to put into the API data field.

2.png

Note that I am not asking for what Azure info what needs to be in the object (service principal, etc). I am asking where to find how to format that object for use in the web UI.

I'm a newbie, so excuse the dumb questions.
 
Normaly acme likes environment variables like:

AZUREDNS_SUBSCRIPTIONID="..."
AZUREDNS_TENANTID="..."
AZUREDNS_APPID="..."
AZUREDNS_CLIENTSECRET="..."

But i never used the acme Azure Plugin in Proxmox so give it a try, maybe line by line or delimited with ; or ,
 
Thanks for the clue.
Normaly acme likes environment variables like:

AZUREDNS_SUBSCRIPTIONID="..."
AZUREDNS_TENANTID="..."
AZUREDNS_APPID="..."
AZUREDNS_CLIENTSECRET="..."

But i never used the acme Azure Plugin in Proxmox so give it a try, maybe line by line or delimited with ; or ,
Thanks.

Finally (after a couple of days of hacking at this, I finally got it to work. Some notes for future victims:
  • Be sure not to use quotes when specifying Azure DNS properties for acme.sh.
  • You must make sure to give the Azure AD app proper permissions to add a TXT record. DNS TXT Contributor RBAC permission on the DNS Zone resource (or, if you insist at the subscription or resource group level) should do it.
  • Give up on using the web UI. Instead, try this sequence:
    pvenode acme account register default person@example.com pvenode acme plugin remove azurePlugin pvenode acme plugin add dns azurePlugin --api azure --data /home/user/azureDnsCredentials pvenode acme plugin config azurePlugin pvenode config set -acmedomain0 domain=pve.example.com,alias=alias.example.com,plugin=azurePlugin pvenode acme cert order
  • I needed to use the alias capability of dns-01 because the base domain is registered at Google Domains (big mistake on my part!). Google Domains doesn't offer API access, so creating zone in Azure DNS and CNAMEing to it is my solution for Let's Encrypt dns-01 challenges. That complicates this a bit but doesn't matter to pvenode.
Finally, I couldn't find any of the logs from pvenode or the ACME output. That left me stumped for a while. But looking at acme.sh itself should help you if you get stuck.
 
  • Like
Reactions: noko and talos

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!