No configuration is done letsencrypt certificate

ounce

New Member
May 27, 2018
6
0
1
34
Moscow
onlinebd.ru
I get the following error when executing pvenode acme cert order

Code:
root@pve:~# pvenode acme cert order

Loading ACME account details
Placing ACME order
Order URL: acme-v02.api.letsencrypt.org/acme/order/35236266/6065727

Getting authorization details from 'acme-v02.api.letsencrypt.org/acme/authz/TOZ5uV72yV3yjDpDyi5ttqtXItsrbNtREVbQePTwiGM'
... pending!

Setting up webserver
failed setting up webserver - Failed to initialize HTTP daemon
Task failed setting up webserver - Failed to initialize HTTP daemon
 
* Is there any helpful information in the logs or in the journal? (journalctl -r)
* Is anything listening on port 80 of the node? (ss -tlnp)
 
* Is there any helpful information in the logs or in the journal? (journalctl -r)
* Is anything listening on port 80 of the node? (ss -tlnp)

Code:
# journalctl -r

май 28 12:29:28 pve pvenode[5647]: <root@pam> end task UPID:pve:00001610:36F4811A:5B0BCBF7:acmenewcert::root@pam: failed setting up webserver - Failed to initialize HTTP daemon
май 28 12:29:28 pve pvenode[5648]: failed setting up webserver - Failed to initialize HTTP daemon
май 28 12:29:27 pve pvenode[5647]: <root@pam> starting task UPID:pve:00001610:36F4811A:5B0BCBF7:acmenewcert::root@pam:

Code:
root@pve:/var/log# tail -f *.log

==> kern.log <==
May 28 12:31:38 pve pvenode[7499]: <root@pam> starting task UPID:pve:00001D4F:36F4B419:5B0BCC7A:acmenewcert::root@pam:

==> daemon.log <==
May 28 12:31:39 pve pvenode[7503]: failed setting up webserver - Failed to initialize HTTP daemon

==> kern.log <==
May 28 12:31:39 pve pvenode[7499]: <root@pam> end task UPID:pve:00001D4F:36F4B419:5B0BCC7A:acmenewcert::root@pam: failed setting up webserver - Failed to initialize HTTP daemon

On port 80, I have nginx, which proxies requests for virtual sites created with proxmox:
Code:
root@pve:~# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:10050           0.0.0.0:*               LISTEN      27896/zabbix_agentd
tcp        0      0 0.0.0.0:8099            0.0.0.0:*               LISTEN      10507/nginx: master
tcp        0      0 0.0.0.0:8006            0.0.0.0:*               LISTEN      21137/pveproxy     
tcp        0      0 0.0.0.0:18090           0.0.0.0:*               LISTEN      10507/nginx: master
tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN      3039/dtach         
tcp        0      0 127.0.0.1:5901          0.0.0.0:*               LISTEN      27569/dtach         
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      858/rpcbind         
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      10507/nginx: master
tcp        0      0 127.0.0.1:85            0.0.0.0:*               LISTEN      1834/pvedaemon     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      16855/sshd         
tcp        0      0 0.0.0.0:8088            0.0.0.0:*               LISTEN      10507/nginx: master
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN      1907/spiceproxy     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      15530/master       
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      10507/nginx: master
tcp6       0      0 :::10050                :::*                    LISTEN      27896/zabbix_agentd
tcp6       0      0 :::5900                 :::*                    LISTEN      3039/dtach         
tcp6       0      0 :::111                  :::*                    LISTEN      858/rpcbind         
tcp6       0      0 :::22                   :::*                    LISTEN      16855/sshd         
tcp6       0      0 ::1:25                  :::*                    LISTEN      15530/master
 
Simply it turns out that certificates are intended for sites that are on virtual sites to work on ports 80 and 443, and they can be run only through proxying nginx, proxmox in the box does not provide such an opportunity. It turns out there are certificates, but they can not be used.
 
  • pveproxy is not a general http(s) proxy, but rather serves the purpose of delivering the webUI of proxmox.
  • you can use nginx on the host and proxy to your sites - but in that case the ACME implementation of PVE might not be the best match (we currently do not support having a different listener on port 80, if you use ACME) - you would have to make sure to stop nginx during the http challenge
  • Implementing the DNS-challenge is on our roadmap
  • Making the port where the ACME certificate challenge server binds to configurable might be a feature worth implementing - if you like please open a request in our bugtracker: https://bugzilla.proxmox.com/
  • If you do have multiple public IPs you can also put nginx inside a container and use another ip for pveproxy and the ACME challenges (the certificates end up in /etc/pve/ - you can copy them from there
 
Great, really I stopped nginx ordered a certificate and restarted it and voila all works. Well, I'll get the task to improve in the tracker.
 
  • you can use nginx on the host and proxy to your sites - but in that case the ACME implementation of PVE might not be the best match (we currently do not support having a different listener on port 80, if you use ACME) - you would have to make sure to stop nginx during the http challenge
is there a pre/post hook perhaps?

Implementing the DNS-challenge is on our roadmap

Perhaps using the web-root as an option?

Personally I use a lighttpd to redirect requests to :8006 from 80 and 443, so it would be nice to have a stop/start hook somewhere.
 
Hi guys!

I have haproxy on proxmox host and have troubles with certificate renewals.
I found solution which allows to change proxmox ACME verification server port from 80 to any other.

h**ps://wiki.autosys.tk/proxmox/acme_change_challenge_request_port

You can manually change port in file: /usr/share/perl5/PVE/ACME/StandAlone.pm
Code which starts HTTP-server:

my $server = HTTP::Daemon->new(
LocalPort => 80,
ReuseAddr => 1,
) or die "Failed to initialize HTTP daemon\n";


After changing port (for example to 8080) you need setup reverse proxy to 127.0.0.1:8080 in your haproxy or nginx and restart proxmox services:

service pve-cluster restart && service pvedaemon restart && service pvestatd restart && service pveproxy restart

After that you can successfully renew your cert!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!