DNS Challenge fails on one Proxmox host (ACME: status invalid, All-Inkl)

T

ThiemoSt

Member
Dec 1, 2020
13
0
21
39
Hi everyone,

I'm facing an issue where several of my hosts no longer receive certificates.
I'm using the DNS challenge with All-Inkl. The TXT records are being created correctly with the configured settings.

The problem occurs on two PVE installations at two different locations (both using Telekom fiber connections, in case that's relevant). Interestingly, I also have a third installation at Hetzner (freshly installed recently), and there everything works without any issues.

The error I'm consistently getting is:
TASK ERROR: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz/23347xxx17/50552xxx46437' failed - status: invalid

I haven't changed anything in the configuration — it was working before. The DNS entries are being created properly, and even with a 1200s delay for propagation, the challenge validation still fails.

At one of the affected locations, I have a 5-node cluster. Interestingly, the certificate renewal works fine on 4 out of the 5 hosts — only the fifth one is failing. This fifth host is the newest one in the cluster, and certificate issuance did work on it before (both for initial issuance and renewal). Now, neither renewal nor issuing a completely new certificate works on this node.

I already posted this issue in the German section of the forum, but unfortunately didn’t receive any replies so far.
Does anyone have an idea where I could dig deeper to find the root cause of this problem?

Thanks a lot in advance for any help!
 
Have the same problem today when i try get a new cert for my proxmox backup server:

Code: 
could not notify via target `mail-to-root`: could not notify via endpoint(s): mail-to-root: no recipients provided for the mail, cannot send it.
TASK ERROR: validating challenge 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/197155534/17060573534/2y9njA' failed - status: Invalid
 
Just today i see that there are more information about the error on the shown URL.
I can't understand why the TXT record is not found. With other hosts in the same cluster it works perfectly.
Code: 
{
  "identifier": {
    "type": "dns",
    "value": "pve.xxxx.de"
  },
  "status": "invalid",
  "expires": "2025-04-29T12:19:44Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2343xxx427/50944xxx717/QYxxxsQ",
      "status": "invalid",
      "validated": "2025-04-22T12:20:38Z",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "No TXT record found at _acme-challenge.pve.xxx.de",
        "status": 403
      },
      "token": "4WPmRAoaw1XkwMvSJXxxxzkUzQ1AdAzvCR18LokYI"
    }
  ]
}
 
bananajoe75 said:
Have the same problem today when i try get a new cert for my proxmox backup server:

Code: 
could not notify via target `mail-to-root`: could not notify via endpoint(s): mail-to-root: no recipients provided for the mail, cannot send it.
TASK ERROR: validating challenge 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/197155534/17060573534/2y9njA' failed - status: Invalid
Click to expand...
looks like duckdns fixed something, my problem is gone.
 
Hi all, I'm also getting this error. It's been working fine for a number of months (can't remember exactly when I first set it up), but now the renewal just fails with this same message as others have quoted:

Code: 
Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/199239614/24541486954

Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz/199239614/17301825174'
The validation for matrix.<redacted>.<redacted> is pending!
[Sun May 11 11:59:33 AEST 2025] Adding record
[Sun May 11 11:59:33 AEST 2025] Added, OK
Add TXT record: _acme-challenge.matrix.<redacted>.<redacted>
Sleeping 30 seconds to wait for TXT record propagation
Triggering validation
Sleeping for 5 seconds
[Sun May 11 12:00:10 AEST 2025] Don't need to remove.
Remove TXT record: _acme-challenge.matrix.<redacted>.<redacted>
TASK ERROR: validating challenge 'https://acme-staging-v02.api.letsencrypt.org/acme/authz/199239614/17301825174' failed - status: invalid

I have checked in Cloudflare and the TXT record is definitely getting created. It also say that part is successful in the output above. Note that I have tried with a 30 sec wait time in the plugin config for Cloudflare DNS, and also tried 300 sec, 500 sec, and 1200 sec. All fail with same output.

I've also tried from the CLI using the "pvenode acme cert renew" command but get the same result.

I have since deleted my ACME certificate by running "rm /etc/pve/local/pveproxy-ssl.*" and then restarting the PVE API Proxy service with "systemctl restart pveproxy". After refreshing the browser I am back logging into my node using the default self-signed certificate.

But even after deleting and recreating my ACME / Let's Encrypt config and my plugin config for Cloudflare, I am not able to order a certificate any more. Same error as I got with the renewal. So now I'm stuck with no ability to create and use an SSL cert for logging into my node.

If I check out the pvedaemon log it doesn't show anything else either:
Code: 
journalctl -u pvedaemon -f
May 11 14:41:42 matrix pvedaemon[584851]: <root@pam> successful auth for user 'root@pam'
May 11 14:56:42 matrix pvedaemon[581529]: <root@pam> successful auth for user 'root@pam'
May 11 15:11:10 matrix pvedaemon[581529]: <root@pam> starting task UPID:matrix:000A2026:211E14D7:6820316E:acmenewcert::root@pam:
May 11 15:11:42 matrix pvedaemon[581529]: <root@pam> successful auth for user 'root@pam'
May 11 15:19:41 matrix pvedaemon[663590]: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz/2391642127/518608030967' failed - status: invalid
May 11 15:19:41 matrix pvedaemon[581529]: <root@pam> end task UPID:matrix:000A2026:211E14D7:6820316E:acmenewcert::root@pam: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz/2391642127/518608030967' failed - status: invalid
May 11 15:26:42 matrix pvedaemon[581529]: <root@pam> successful auth for user 'root@pam'
May 11 15:34:00 matrix pvedaemon[588616]: <root@pam> starting task UPID:matrix:000A5B61:21202C3F:682036C8:acmenewcert::root@pam:
May 11 15:34:26 matrix pvedaemon[678753]: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz/2391642127/518615565417' failed - status: invalid
May 11 15:34:26 matrix pvedaemon[588616]: <root@pam> end task UPID:matrix:000A5B61:21202C3F:682036C8:acmenewcert::root@pam: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz/2391642127/518615565417' failed - status: invalid
May 11 15:41:42 matrix pvedaemon[584851]: <root@pam> successful auth for user 'root@pam'
May 11 15:56:42 matrix pvedaemon[581529]: <root@pam> successful auth for user 'root@pam'
May 11 16:11:42 matrix pvedaemon[588616]: <root@pam> successful auth for user 'root@pam'

What other log files or things should I look at to troubleshoot further?
 
Hi,

Currently there is no "_acme-challenge.matrix.domain.tld" in your DNS Zone.
And the error is not in proxmox, it's directly sent by let's encrypt who says, "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.matrix.domain.tld - check that a DNS record exists for this domain".

Best regards,
 
janus57 said:
Hi,

Currently there is no "_acme-challenge.matrix.domain.tld" in your DNS Zone.
And the error is not in proxmox, it's directly sent by let's encrypt who says, "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.matrix.domain.tld - check that a DNS record exists for this domain".

Best regards,
Click to expand...

But the record is in my DNS zone...
 
Hi,

digitalapnea said:
But the record is in my DNS zone...
Click to expand...
not at this time :
Code: 
:~# dig TXT _acme-challenge.matrix.c****e.i*** @brit.ns.cloudflare.com.

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> TXT _acme-challenge.matrix.c****e.i*** @brit.ns.cloudflare.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15278
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.matrix.c****e.i***. IN TXT

;; AUTHORITY SECTION:
c****e.i***.            1800    IN      SOA     brit.ns.cloudflare.com. dns.cloudflare.com. 2372427349 10000 2400 604800 1800

;; Query time: 7 msec
;; SERVER: 173.245.58.78#53(brit.ns.cloudflare.com.) (UDP)
;; WHEN: Mon May 12 19:50:45 CEST 2025
;; MSG SIZE  rcvd: 125

Best regards,
 
You must log in or register to reply here.
Top Bottom