Bug in issuing wildcard certificate with Proxmox ACME

Sprinterfreak

Active Member
Mar 26, 2018
28
3
43
36
So I'd like to issue a valid LE wildcard certificate for my pbs instance. This is especially useful to hide detailed information behind the public scope of the infrastructure in the LE domain log.

I have a working infrastructure for rfc2136 (dns-01) challenge handling through an alias domain. According to proxmox documentation this should be possible to utilize.
Now the issue lies in configuring a wildcard domain.
You can't create a wildcard domain entry under Certificates->ACME in the WebUI as "*.sub.domain.tld" does not meet the regex.
The documentation states to modify /etc/proxmox-backup/node.cfg by hand and add the *.-prefix to the domain.

This of course breaks the WebUI. Now it only displays an error:
> Bad Request (400)
> line 0: parameter verification failed - 'domain': schema validation failed: value does not match the regex pattern

So looks like the documentation is not quiet compatible with the software itself.
Also I've not seen it try to issue the certificate yet. Would it be sufficient to fix the domain regex or is there a deeper problem in wildcard handling?
 
Hi!
this looks like it's an error on our side. We don't allow any '*' in dns names. I'll check it out.
 
Hi,

also filed an issue https://bugzilla.proxmox.com/show_bug.cgi?id=5719
I did manage to pull a wildcard certificate with the suggested patches to the DNS_NAME_FORMAT schema.

There is of course still something weird happening. You need to add two domain entries
- the.domain.tld
- *.the.domain.tld
This works because if it validates '*.the.domain.tld' it accesses, for what ever reason, the config for the.domain.tld. The WebUI handles wildcard domains flawlessly and the wildcard does appear and validate successfully in the certificate then.

The AcmeClient seems to fail loading the configuration if domain contains *. as somewhere in the code the *. prefix is dropped in the identifier and without the domain itself configured, breaks. If just the wildcard is configured it fails with "no config for domain 'the.domain.tld'" (where it should lookup '*.the.domain.tld'. I didn't yet manage to find where the prefix gets lost on the way. This is in src/api2/node/certificates.rs:301
 
Hi,

do we have any update to this topic?
wildcard certificate still not working.

Thanks
Sascha
 
After having tested it a while now I can say that valid certificates don't make sense for at least pbs installs. Not only does it need more engineering on the ACME side, it is also not meant to be on the pve side.
The whole trust mechanism of proxmox is based on pinned certificate fingerprints, which obviously break on every certificate renewal.

This does not mean, it should not be implemented. Just relying on a certificates fingerprint has it's drawbacks. Clearly it is not an area where we should put much effort into unless there is other reasons why bigger things have to be redesigned anyways.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!