Not able to order ACME cert

[papatikka]

I figured out to make my DC safer and add SSL cert for trusted https that is only accessible from LAN, with 2FA etc...

however when pvenode acme cert order -f

Can't use an undefined value as a HASH reference at /usr/share/perl5/PVE/API2/ACME.pm line 196.

I never messed with certs before, this is first time and I just followed the steps of https://pve.proxmox.com/wiki/Certificate_Management
and yeah... it stops at pvenode acme cert order...

I tried following the solution for lps90 but I have no file at etc/default/pveproxy, doesn't exist.

So... I am at loss... what should I do?

 

[Moayad]

What is version of Proxmox VE you're using?

 

[papatikka]

What is version of Proxmox VE you're using?

pveversion -v
proxmox-ve: 8.0.1 (running kernel: 6.2.16-3-pve)
pve-manager: 8.0.3 (running version: 8.0.3/bbf3993334bfa916)
pve-kernel-6.2: 8.0.2
pve-kernel-5.15: 7.4-4
pve-kernel-6.2.16-3-pve: 6.2.16-3
pve-kernel-5.15.108-1-pve: 5.15.108-1
pve-kernel-5.15.102-1-pve: 5.15.102-1
ceph-fuse: 16.2.11+ds-2
corosync: 3.1.7-pve3
criu: 3.17.1-2
glusterfs-client: 10.3-5
ifupdown2: 3.2.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-3
libknet1: 1.25-pve1
libproxmox-acme-perl: 1.4.6
libproxmox-backup-qemu0: 1.4.0
libproxmox-rs-perl: 0.3.0
libpve-access-control: 8.0.3
libpve-apiclient-perl: 3.3.1
libpve-common-perl: 8.0.5
libpve-guest-common-perl: 5.0.3
libpve-http-server-perl: 5.0.3
libpve-rs-perl: 0.8.3
libpve-storage-perl: 8.0.2
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 5.0.2-4
lxcfs: 5.0.3-pve3
novnc-pve: 1.4.0-2
proxmox-backup-client: 3.0.1-1
proxmox-backup-file-restore: 3.0.1-1
proxmox-kernel-helper: 8.0.2
proxmox-mail-forward: 0.2.0
proxmox-mini-journalreader: 1.4.0
proxmox-widget-toolkit: 4.0.5
pve-cluster: 8.0.1
pve-container: 5.0.4
pve-docs: 8.0.4
pve-edk2-firmware: 3.20230228-4
pve-firewall: 5.0.2
pve-firmware: 3.7-1
pve-ha-manager: 4.0.2
pve-i18n: 3.0.4
pve-qemu-kvm: 8.0.2-3
pve-xtermjs: 4.16.0-3
qemu-server: 8.0.6
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.1.12-pve1

 

[papatikka]

@Moayad

Sorry for pinging but there have been some time without answers =)

 

[Moayad]

Hi,

Sorry for the late answer...

Thank you for the output of pveversion -v! can you please check of the configuration for the ACME if correct?

What do you see in the syslog during the order a new certificate?

 

[fabian]

the error does sound like your config is wrong - could you post the complete node config file?

 

[papatikka]

the error does sound like your config is wrong - could you post the complete node config file?

Sorry, I've had a lot stuff to do but now I am utilizing tailscale and its become important for me to have valid HTTPS cert when I'm using vpn services to access my LAN.

Do you mean

/etc/pve/nodes/y33/config

?

It's empty except a ACME account/user and nothing else.

 

[fabian]

you have to specify the domain there as well.. I'd suggest configuring it over the web UI if you are unsure!

 

[papatikka]

you have to specify the domain there as well.. I'd suggest configuring it over the web UI if you are unsure!

Do I need domain in order to utilize acme cert? I was just thinking of https'ing localnetwork\8006 so it doesnt say "unsafe browsing" even thought it says https://localnetwork/8006

 

[fabian]

that won't work (at least not for a trusted-by-default CA like Let's Encrypt). for IP addresses or internal/local domains you can only use an internal CA or self-signed certificates, in which case your client system(s) must trust that CA (or self-signed certificate)..