Lets Encrypt JWS verification error

A

Afox

Renowned Member
Dec 18, 2014
257
13
83
Hello,

when I use the same FQDN for both API and SMTP after successfully ordering the API cert the SMTP request throws an error like so:
urn:ietf:params:acme:error:malformed: JWS verification error at /usr/share/perl5/PMG/API2/Certificates.pm line 425.
Click to expand...
No SMTP cert was created at this point. When I then run the same SMTP creation request again it creates a second cert with the same FQDN.

I don´t know if this is intended.

I selected both SMTP and API when adding the domain.

Best regards,

Afox
 
Last edited:
Hi!

Do you use Let's Encrypt or another ACME provider?

Any proxy in between your Proxmox Mail Gateway instance and the ACME provider?

Did you use the HTTP or the DNS challenge?

Afox said:
I don´t know if this is intended.
Click to expand...

It isn't, it should work without a second try and actually does here, at least the times I tried it out; there still may be an issue in the code, but we used the test suite from Let's Encrypt (pebble) to verify it, so it should actually have not too bad coverage and that's why I'm asking above questions.

Anyway, thanks for the feedback!
 
Hello,

I did everything via the webinterface. Created an account and then added the domain.

Only thing I did unusual was that I first added the same domain for API and SMTP separately. Then after I realized that something was wrong as there weren´t two entries I deleted the only displayed entry and then also deleted a second one that showed up after I deleted the first one.

After the deletion I added the domain with both API and SMTP selected and requested the cert as stated above.

So maybe the problem is within my attempt to separately adding API and SMTP under the same domain?
t.lamprecht said:
Any proxy in between your Proxmox Mail Gateway instance and the ACME provider?
Click to expand...
I have no proxy or something in between.
t.lamprecht said:
Did you use the HTTP or the DNS challenge?
Click to expand...
HTTP.

Just to clarify: It is normal that 2 different certs are created for the same FQDN if one selects both API and SMTP?

Best regards,

Afox
 
Last edited:
Afox said:
So maybe the problem is within my attempt to separately adding API and SMTP under the same domain?
Click to expand...
Hmm, that should actually not matter much, we query alls certs configured for a type and do an order then - if one is configured in a single entry with both uses (SMTP and API) set or configured in two separate entries should not matter.

Afox said:
Just to clarify: It is normal that 2 different certs are created for the same FQDN if one selects both API and SMTP?
Click to expand...
Yes, that's currently by design. While one could optimize the case where SMTP and API are configured for the exact same set of domains, once that set is not the same anymore PMG would need to do two certs order anyway, so we left that optimization out for now (two orders vs. one every two months is not a biggie).
 
  • Like
Reactions: Afox
You must log in or register to reply here.
Top Bottom