[SOLVED] CertBot with dns-01 and CNAMEs

J

jamesharr

Member
Proxmox Subscriber
Jan 8, 2022
31
4
13
Hello,

Has anyone implemented CertBot with dns-01 using CNAMEs/aliases?

I read through Wiki - DNS Validation through CNAME Alias and it seems to support it through the UI (with exception of one step), however I get to this step of the instructions where it says to edit the node configuration file and set an alias, but it doesn't provide any instructions on where this file is.

set the alias property in the Proxmox VE node configuration file to domain2.example
Click to expand...

I've seen forum posts where people have used CLI scripts to manage domains, but I'm really trying to stick to the UI as much as I can since it works really well.

Thanks in advance,

James
 
After some poking around, I did get it figured out...

1. Configure ACME through the Proxmox UI.
2. VIA cli one of the Proxmox Hosts, edit /etc/pve/nodes/$NODE/config
3. On the acmedomain0 line, add this to the end: ,alias=myserver.domain2.com

So the file should look something like this:
Code: 
acme: account=my-certbot-account
acmedomain0: promox1.mydomain.com,plugin=my-dns-update,alias=proxmox1.mycertbotdomain.com

You can also do this through the CLI with:
Code: 
pvenode config set -acmedomain0 domain=proxmox1.mydomain.com,alias=proxmox1.mycertbotdomain.com,plugin=my-dns-update

I've found that if I screw up the file (usually by hand editing), then the Host > System > Certificate view in the UI will refuse to load. So that was a good litmus test.

Then on the DNS side, what needs to be setup
1. proxmox1.mydomain.com needs to have an A record for your nodes actual IP address
2. _acme-challenge.proxmox1.mydomain.com needs to be a CNAME to _acme-challenge.proxmox1.mycertbotdomain.com
3. Whatever ACME challenge plugin (In the Datacenter/ACME section of Proxmox) must have the credentials to update anything in mycertbotdomain.com. In my case, this is AWS credentials that can update a Route53 domains. The time delay is usually defined by the cloud provider, mine is 60 seconds, which seems to be ample time.

Hope this helps
 
Last edited:
Hope the alias parameter gets added to the UI eventually. :)
(also, base64 support to avoid key files)
 
  • Like
Reactions: bmernz
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back