Obtain LetsEncrypt TXT Record from pvenode?

cweilemann

New Member
Dec 16, 2020
5
1
3
41
Is there a way through SSH to obtain the TXT record from LetsEncrypt such that I could initially configure LE SSL certs within a node and then simply make a renewal request through the GUI? Thus, the auto renewal of SSL certs would work going forward?

I ask as I've yet to find a workaround using Namecheap as my DNS provider and haven't been successful finding an answer on the forums or search engines.
 
PVE 6.3 has acme support with a good portion of provider APIs. Namecheap is among them. So I don't quite understand what preparation you want to do.
 
Even following the docs, I cannot get PVE to write the TXT record to Namecheap. So I need to somehow obtain what that TXT record entry should be so I can manually add it to my Namecheap DNS so I can then make a call to renew and obtain the certificate through the GUI.
 
Yes. I obtained an API key and followed the dns-01 instructions found here
And does API access work, like the example in the namecheap api intro? If so, what is the message from the acme plugin itself?
 
And does API access work, like the example in the namecheap api intro? If so, what is the message from the acme plugin itself?
Performing the following from the console of the server using curl:

Bash:
https://api.namecheap.com/xml.response?ApiUser=<my-namecheap-username>&ApiKey=<my-namecheap-api-key>&UserName=<my-namecheap-username>&Command=namecheap.domains.dns.getHosts&ClientIp=<my-whitelisted-ip>&SLD=<my-sld>&TLD=<my-tld>

<?xml version="1.0" encoding="utf-8"?>
<ApiResponse Status="OK" xmlns="http://api.namecheap.com/xml.response">
  <Errors />
  <Warnings />
  <RequestedCommand>namecheap.domains.dns.gethosts</RequestedCommand>
  <CommandResponse Type="namecheap.domains.dns.getHosts">
    <DomainDNSGetHostsResult Domain="<my-sld>.<my-tld>" EmailType="FWD" IsUsingOurDNS="true">
      <host HostId="<host-id>" Name="<existing-a-record>" Type="A" Address="<my-whitelisted-ip>" MXPref="10" TTL="1799" AssociatedAppTitle="" FriendlyName="" IsActive="true" IsDDNSEnabled="false" />
      <host HostId="<host-id>" Name="@" Type="TXT" Address="v=spf1 include:spf.efwd.registrar-servers.com ~all" MXPref="0" TTL="1800" AssociatedAppTitle="FWD" FriendlyName="" IsActive="true" IsDDNSEnabled="false" />
      <host HostId="<host-id>" Name="_acme-challenge.<1>" Type="TXT" Address="<valid-value>" MXPref="10" TTL="1799" AssociatedAppTitle="" FriendlyName="" IsActive="true" IsDDNSEnabled="false" />
      <host HostId="<host-id>" Name="_acme-challenge.<2>" Type="TXT" Address="<valid-value>" MXPref="10" TTL="1799" AssociatedAppTitle="" FriendlyName="" IsActive="true" IsDDNSEnabled="false" />
      <host HostId="<host-id>" Name="_acme-challenge.<3>" Type="TXT" Address="<valid-value>" MXPref="10" TTL="1799" AssociatedAppTitle="" FriendlyName="" IsActive="true" IsDDNSEnabled="false" />
      <host HostId="<host-id>" Name="_acme-challenge.<4>" Type="TXT" Address="<valid-value>" MXPref="10" TTL="1799" AssociatedAppTitle="" FriendlyName="" IsActive="true" IsDDNSEnabled="false" />
    </DomainDNSGetHostsResult>
  </CommandResponse>
  <Server>PHX01APIEXT04</Server>
  <GMTTimeDifference>--5:00</GMTTimeDifference>
  <ExecutionTime>0.142</ExecutionTime>
</ApiResponse>

I've made a presumption of your next question and tested a POST using curl to the Namecheap API as well, adding on a 5th "_acme-challenge" TXT record, and received this result:

Bash:
<?xml version="1.0" encoding="utf-8"?>
<ApiResponse Status="OK" xmlns="http://api.namecheap.com/xml.response">
  <Errors />
  <Warnings />
  <RequestedCommand>namecheap.domains.dns.sethosts</RequestedCommand>
  <CommandResponse Type="namecheap.domains.dns.setHosts">
    <DomainDNSSetHostsResult Domain="<my-sld>.<my.tld>" IsSuccess="true">
      <Warnings />
    </DomainDNSSetHostsResult>
  </CommandResponse>
  <Server>PHX01APIEXT02</Server>
  <GMTTimeDifference>--5:00</GMTTimeDifference>
  <ExecutionTime>0.793</ExecutionTime>
</ApiResponse>

The update appeared in the Namecheap UI next to my other "_acme-challenge." TXT records.

Continuing down the simplistic path, I directly copy/pasted (yet again) the details for entering the API information for Namecheap into the GUI (obviously removing export only to receive yet another error. This error was solved by removing the double-quotes from surrounding my Namecheap username, API key, and source IP.

Again, continuing down this path, I increased the validation timeout from 30 seconds to 45 seconds for Namecheap. Upon doing this, ordering the certificates was finally successful.
 
Again, continuing down this path, I increased the validation timeout from 30 seconds to 45 seconds for Namecheap. Upon doing this, ordering the certificates was finally successful.
To conclude, the time to validate the call takes longer than the default 30 sec. It solved then? :)
 
To conclude, the time to validate the call takes longer than the default 30 sec. It solved then? :)
I would also argue it's not a "simple copy" of KEY=VALUE from the Acme docs, as the Acme docs for Namecheap include double-quotes. So a "simple copy" would be something like export NAMECHEAP_USERNAME="<my-username>" where what is needed or Proxmox to work with the Namecheap API is NAMECHEAP_USERNAME=<my-username...

But yes, regardless, it is solved.
 
  • Like
Reactions: Alwin

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!