Obtain LetsEncrypt TXT Record from pvenode?

[cweilemann]

Is there a way through SSH to obtain the TXT record from LetsEncrypt such that I could initially configure LE SSL certs within a node and then simply make a renewal request through the GUI? Thus, the auto renewal of SSL certs would work going forward?

I ask as I've yet to find a workaround using Namecheap as my DNS provider and haven't been successful finding an answer on the forums or search engines.

 

[Alwin]

PVE 6.3 has acme support with a good portion of provider APIs. Namecheap is among them. So I don't quite understand what preparation you want to do.

 

[cweilemann]

Even following the docs, I cannot get PVE to write the TXT record to Namecheap. So I need to somehow obtain what that TXT record entry should be so I can manually add it to my Namecheap DNS so I can then make a call to renew and obtain the certificate through the GUI.

 

[Alwin]

Even following the docs, I cannot get PVE to write the TXT record to Namecheap.

Since it is acme beneath, did you see their docs? And did you activate the API on namecheap?
https://go-acme.github.io/lego/dns/namecheap/

 

[cweilemann]

Yes. I obtained an API key and followed the dns-01 instructions found here (https://pve.proxmox.com/wiki/Certificate_Management#sysadmin_certs_acme_dns_challenge) along with the guidance found in acme’s docs (https://github.com/acmesh-official/acme.sh/wiki/dnsapi#53-use-namecheap), which also include whitelisting my IP address.

 

[Alwin]

Yes. I obtained an API key and followed the dns-01 instructions found here

And does API access work, like the example in the namecheap api intro? If so, what is the message from the acme plugin itself?

 

[cweilemann]

And does API access work, like the example in the namecheap api intro? If so, what is the message from the acme plugin itself?

Performing the following from the console of the server using curl:

https://api.namecheap.com/xml.response?ApiUser=<my-namecheap-username>&ApiKey=<my-namecheap-api-key>&UserName=<my-namecheap-username>&Command=namecheap.domains.dns.getHosts&ClientIp=<my-whitelisted-ip>&SLD=<my-sld>&TLD=<my-tld>

<?xml version="1.0" encoding="utf-8"?>
<ApiResponse Status="OK" xmlns="http://api.namecheap.com/xml.response">
  <Errors />
  <Warnings />
  <RequestedCommand>namecheap.domains.dns.gethosts</RequestedCommand>
  <CommandResponse Type="namecheap.domains.dns.getHosts">
    <DomainDNSGetHostsResult Domain="<my-sld>.<my-tld>" EmailType="FWD" IsUsingOurDNS="true">
      <host HostId="<host-id>" Name="<existing-a-record>" Type="A" Address="<my-whitelisted-ip>" MXPref="10" TTL="1799" AssociatedAppTitle="" FriendlyName="" IsActive="true" IsDDNSEnabled="false" />
      <host HostId="<host-id>" Name="@" Type="TXT" Address="v=spf1 include:spf.efwd.registrar-servers.com ~all" MXPref="0" TTL="1800" AssociatedAppTitle="FWD" FriendlyName="" IsActive="true" IsDDNSEnabled="false" />
      <host HostId="<host-id>" Name="_acme-challenge.<1>" Type="TXT" Address="<valid-value>" MXPref="10" TTL="1799" AssociatedAppTitle="" FriendlyName="" IsActive="true" IsDDNSEnabled="false" />
      <host HostId="<host-id>" Name="_acme-challenge.<2>" Type="TXT" Address="<valid-value>" MXPref="10" TTL="1799" AssociatedAppTitle="" FriendlyName="" IsActive="true" IsDDNSEnabled="false" />
      <host HostId="<host-id>" Name="_acme-challenge.<3>" Type="TXT" Address="<valid-value>" MXPref="10" TTL="1799" AssociatedAppTitle="" FriendlyName="" IsActive="true" IsDDNSEnabled="false" />
      <host HostId="<host-id>" Name="_acme-challenge.<4>" Type="TXT" Address="<valid-value>" MXPref="10" TTL="1799" AssociatedAppTitle="" FriendlyName="" IsActive="true" IsDDNSEnabled="false" />
    </DomainDNSGetHostsResult>
  </CommandResponse>
  <Server>PHX01APIEXT04</Server>
  <GMTTimeDifference>--5:00</GMTTimeDifference>
  <ExecutionTime>0.142</ExecutionTime>
</ApiResponse>

I've made a presumption of your next question and tested a POST using curl to the Namecheap API as well, adding on a 5th "_acme-challenge" TXT record, and received this result:

<?xml version="1.0" encoding="utf-8"?>
<ApiResponse Status="OK" xmlns="http://api.namecheap.com/xml.response">
  <Errors />
  <Warnings />
  <RequestedCommand>namecheap.domains.dns.sethosts</RequestedCommand>
  <CommandResponse Type="namecheap.domains.dns.setHosts">
    <DomainDNSSetHostsResult Domain="<my-sld>.<my.tld>" IsSuccess="true">
      <Warnings />
    </DomainDNSSetHostsResult>
  </CommandResponse>
  <Server>PHX01APIEXT02</Server>
  <GMTTimeDifference>--5:00</GMTTimeDifference>
  <ExecutionTime>0.793</ExecutionTime>
</ApiResponse>

The update appeared in the Namecheap UI next to my other "_acme-challenge." TXT records.

Continuing down the simplistic path, I directly copy/pasted (yet again) the details for entering the API information for Namecheap into the GUI (obviously removing export only to receive yet another error. This error was solved by removing the double-quotes from surrounding my Namecheap username, API key, and source IP.

Again, continuing down this path, I increased the validation timeout from 30 seconds to 45 seconds for Namecheap. Upon doing this, ordering the certificates was finally successful.

 

[Alwin]

Again, continuing down this path, I increased the validation timeout from 30 seconds to 45 seconds for Namecheap. Upon doing this, ordering the certificates was finally successful.

To conclude, the time to validate the call takes longer than the default 30 sec. It solved then?

 

[cweilemann]

To conclude, the time to validate the call takes longer than the default 30 sec. It solved then?

I would also argue it's not a "simple copy" of KEY=VALUE from the Acme docs, as the Acme docs for Namecheap include double-quotes. So a "simple copy" would be something like export NAMECHEAP_USERNAME="<my-username>" where what is needed or Proxmox to work with the Namecheap API is NAMECHEAP_USERNAME=<my-username...

But yes, regardless, it is solved.