Let's Encrypt DNS Validation through CNAME Alias

D

dononeil

New Member
Oct 18, 2025
1
0
1
I'm new to Proxmox 9, and I'm not understanding how to set up a DNS challenge using my own DNS server that doesn't have an API.

I'm trying to follow the "DNS Validation through CNAME Alias" from https://pve.proxmox.com/wiki/Certificate_Management, but I simply don't understand what I'm supposed to set up in the CNAME, nor what I'm supposed to select for the DNS API in the GUI.

My host name is 'proxmox' ... and I have complete editing rights to my domain DNS, i.e. 'mydomain.com'.

What should the CNAME I create be for the host proxmox.mydomain.com? What should the settings be in the ACME DNS Plugin config to make Lety's Encrypt work? I have already successfully setup the Let's encrypt account, but it cant' validate via https because my machine is on a private network.

Thanks!
 
Welcome to the Forum!

Disclaimer: I have not tested it myself, I'm just reading https://pve.proxmox.com/wiki/Certificate_Management#sysadmin_certs_acme_dns_challenge :)

You should own some other domain (let's call it your-other-domain.com) which is kept in other DNS server which does support the API. The lists of such DNS providers are at

https://community.letsencrypt.org/t...egrate-with-lets-encrypt-dns-validation/86438
and
https://github.com/acmesh-official/acme.sh/wiki/dnsapi#how-to-use-dns-api

Then in YOUR domain you create the CNAME record like

_acme-challenge.mydomain.com. IN CNAME _acme-challenge.your-other-domain.com.

Note the dots at the ends of the strings!
In case you want to limit the setup only to proxmox.mydomain.com, maybe you can create more specific record, like

_acme-challenge.proxmox.mydomain.com. IN CNAME _acme-challenge.your-other-domain.com.

Then the Proxmox documentation instructs:
set the alias property on the corresponding acmedomainX key in the Proxmox VE node configuration file to
your-other-domain.com.

How, in detail, it is being set, I'm not sure. Here the Proxmox documentation (both the one you linked and PDF version of the Administrator Guide) is inconsistent with the GUI reality.

It reads "Choose DNS as challenge type". But there is no "challenge type" field! Neither in the screenshot in the docs, nor in my real GUI.
I guess that you go to "Datacenter --> ACME" and first you fill in "Account --> Add"
Then in "Challenge Plugins --> Add" you make up some Plugin ID and then in "DNS API" drop-down list you select the DNS provider of your-other-domain.com. I guess...

Let us know if my description have helped you.
Good luck!
 
You must log in or register to reply here.
Top Bottom