[SOLVED] PMG ACME-DNS with CYON: failing to issue certificate

A

Alain_

New Member
Proxmox Subscriber
Jul 16, 2021
11
1
3
31
Hey Community,

I'm currently setting up our first PMG and I'm stuck with the certificate-ordering via ACME.
I used the CT-Template: proxmox-mailgateway-container: 6.4-1 (API: 6.4-4/1c8a73c7, running kernel: 5.4.114-1-pve)

with the following plugin-settings

DNS-API: cyon
API-Data:
export CY_Username='it@domain.ch' export CY_Password='SUPER-SECURE-PASSWORD'

I get the following message:

Code: 
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/130707696/11116048294

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/14842893179'
The validation for mail01.domain.ch is pending!
[Fri Jul 16 11:29:30 CEST 2021]
[Fri Jul 16 11:29:30 CEST 2021] You haven't set your cyon.ch login credentials yet.
[Fri Jul 16 11:29:30 CEST 2021] Please set the required cyon environment variables.
[Fri Jul 16 11:29:30 CEST 2021]
[Fri Jul 16 11:29:30 CEST 2021] Error add txt for domain:
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cyon mail01.domain.ch' failed: exit code 1


If I use the following settings

DNS-API: cyon
API-Data:
CY_Username='it@domain.ch' CY_Password='SUPER-SECURE-PASSWORD'

I get a error message, which doesn't get me further.

Code: 
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/130707696/11116041969

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/14842893179'
The validation for mail01.domain.ch is pending!
[Fri Jul 16 11:29:08 CEST 2021] Error add txt for domain:
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cyon mail01.domain.ch' failed: exit code 1


On our reverse Proxy we use the acme.sh directly with the same challenge type, also with cyon and there it works.

Any idea how to debug further or what might be wrong?
 
Last edited:
Hello!

The "Proxmox Mail Gateway Administration Guide" specifically mentions this:

See the acme.sh How to use DNS API wiki for more detailed information about getting API credentials for your provider. Configuration values do not need to be quoted with single or double quotes; for some plugins that is even an error.

So you can try if these settings give any error:

DNS-API: cyon
API-Data:
CY_Username=it@domain.ch
CY_Password=SUPER-SECURE-PASSWORD

Best,
Aleksei
 
I get the same error message, no matter if I use no quotation marks, ' or ".

[Fri Jul 16 11:29:08 CEST 2021] Error add txt for domain:

Regards,
Alain
 
Alain_ said:
setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup cyon mail01.nanospace.ch
Click to expand...
what happens if you run the above command on the commandline?
(try with and without setting the variables):
Code: 
export CY_Username=it@domain.ch
export CY_Password=SUPER-SECURE-PASSWORD
 
I ran setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash -x /usr/share/proxmox-acme/proxmox-acme setup cyon mail01.domain.ch 1 to have debug enabled and it want's an input

Code: 
+ VER=1.0
+ PROJECT_NAME=ProxmoxACME
+ USER_AGENT=ProxmoxACME/1.0
+ DNS_PLUGIN_PATH=/usr/share/proxmox-acme/dnsapi
++ mktemp
+ HTTP_HEADER=/tmp/tmp.G5YxawQxR5
+ DEBUG=0
+ setup cyon mail01.domain.ch 1
+ dns_plugin=dns_cyon
+ dns_plugin_path=/usr/share/proxmox-acme/dnsapi/dns_cyon.sh
+ fqdn=_acme-challenge.mail01.domain.ch
+ DEBUG=1
+ IFS=
+ read -r txtvalue


So i manually provided the values (CY_Username=it@domain.ch CY_Password=SUPER-SECRET-PASSWORD Ctrl+D to escape

Code: 
cyon mail01.domain.ch 1
+ VER=1.0
+ PROJECT_NAME=ProxmoxACME
+ USER_AGENT=ProxmoxACME/1.0
+ DNS_PLUGIN_PATH=/usr/share/proxmox-acme/dnsapi
++ mktemp
+ HTTP_HEADER=/tmp/tmp.LSXffqgkLE
+ DEBUG=0
+ setup cyon mail01.domain.ch 1
+ dns_plugin=dns_cyon
+ dns_plugin_path=/usr/share/proxmox-acme/dnsapi/dns_cyon.sh
+ fqdn=_acme-challenge.mail01.domain.ch
+ DEBUG=1
+ IFS=
+ read -r txtvalue
+ plugin_conf_string=
+ _load_plugin_config
+ IFS=
+ read -r line
CY_Username=it@domain.ch
+ ADDR=(${line/=/ })
+ key=CY_Username
+ value=it@domain.ch
+ '[' -n CY_Username ']'
+ export CY_Username=it@domain.ch
+ CY_Username=it@domain.ch
+ IFS=
+ read -r line
CY_Password=SUPER-SECRET_PASSWORD
+ ADDR=(${line/=/ })
+ key=CY_Password
+ value=SUPER-SECRET_PASSWORD
+ '[' -n CY_Password ']'
+ export CY_Password=SUPER-SECRET_PASSWORD
+ CY_Password=SUPER-SECRET-PASSWORD
+ IFS=
+ read -r line
+ . /usr/share/proxmox-acme/dnsapi/dns_cyon.sh
+ addcommand=dns_cyon_add
+ _exists dns_cyon_add
+ cmd=dns_cyon_add
+ eval type type
+ type dns_cyon_add
+ ret=0
+ return 0
+ dns_cyon_add _acme-challenge.mail01.domain.ch ''
+ _cyon_load_credentials
+ '[' '' ']'
+ '[' SUPER-SECRET-PASSWORD ']'
++ printf %s SUPER-SECRET-PASSWORD
++ _base64
++ tr -d '\r\n'
++ openssl base64 -e
+ CY_Password_B64=SUPER-SECRET_PASSWORD_B64
+ '[' -z it@domain.ch ']'
+ '[' -z SUPER-SECRET-PASSWORD ']'
+ _debug 'Save credentials to account.conf'
+ [[ 1 -eq 0 ]]
++ date
+ printf -- %s '[Fri Jul 16 15:04:14 CEST 2021] '
[Fri Jul 16 15:04:14 CEST 2021] + echo 'Save credentials to account.conf '
Save credentials to account.conf
+ _saveaccountconf CY_Username it@domain.ch
+ return
+ _saveaccountconf CY_Password_B64 SUPER-SECRET_PASSWORD_B64
+ return
+ '[' -n '' ']'
+ _clearaccountconf CY_OTP_Secret
+ return
+ _err 'Error add txt for domain:'
++ date
+ printf -- %s '[Fri Jul 16 15:04:14 CEST 2021] '
[Fri Jul 16 15:04:14 CEST 2021] + '[' -z '' ']'
+ __red 'Error add txt for domain:'
+ printf -- %b 'Error add txt for domain:'
Error add txt for domain:+ printf '\n'

+ return 1
+ return 1
 
Thanks for the debug output - I think I see where the issue is coming from and prepared a preliminary patch:
https://lists.proxmox.com/pipermail/pve-devel/2021-July/049419.html

sadly I don't have an account with cyon and cannot test it - if you like you can apply the patch and test it (this would help in getting this issue resolved faster):
* copy the mail from the link into a plaintext-file 'patch.txt' on your PMG
* run `patch /usr/share/proxmox-acme/proxmox-acme patch.txt`
* try creating a certificate with cyon

Thanks!
 
Thanks for providing the outputs so fast and testing :)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back