On PMG 7.1-7 we installed certs from Let's Encrypt on 8/3/2022 and all was well but now the certs are not auto renewing. How do we initiate the auto renew process so that we can trouble shoot the process ?
PMG Let's Encrypt not updating
- Thread starter ronsrussell
- Start date
Just click on 'order' certificate in the GUI - or `pmgconfig acme cert order <type>` (type being 'api' or 'smtp')
I hope this helps!
I hope this helps!
Clicking on 'order' did indeed initiate a transaction to letsencrypt and the update failed.
I collected packet captures at the pmg server and the external interface of the firewall confirming that nothing was blocked.
In the syslog I find -
"Oct 27 07:25:40 pmg pmgdaemon[134752]: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/169xxxxx1567' failed - status: invalid, xxx.xxx.xxx.xxx: Fetching http://pmg.mydomain.com/.well-known/acme-challenge/jkDc8_AaDjRScnxxxxxCdNvAEGvxxxxxajMFI-8lcd0: Timeout during connect (likely firewall problem)"
In troubleshooting this issue in the past week I discovered that a firewall update mucked up some rules that forwarded port 80 to the pmg host. After fixing that I get the error shown above.
Will someone please tell me where to find the "pmg.mydomain.com/.well-known/acme-challenge/" directory so I can determine if the requested file exists?
I collected packet captures at the pmg server and the external interface of the firewall confirming that nothing was blocked.
In the syslog I find -
"Oct 27 07:25:40 pmg pmgdaemon[134752]: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/169xxxxx1567' failed - status: invalid, xxx.xxx.xxx.xxx: Fetching http://pmg.mydomain.com/.well-known/acme-challenge/jkDc8_AaDjRScnxxxxxCdNvAEGvxxxxxajMFI-8lcd0: Timeout during connect (likely firewall problem)"
In troubleshooting this issue in the past week I discovered that a firewall update mucked up some rules that forwarded port 80 to the pmg host. After fixing that I get the error shown above.
Will someone please tell me where to find the "pmg.mydomain.com/.well-known/acme-challenge/" directory so I can determine if the requested file exists?
The file is not written to a filesystem - but generated by the listener on port 80 that the standalone challenge starts - see:
https://git.proxmox.com/?p=proxmox-...4c5a9e003b3bb43e9b7eca9769d91dad779f3;hb=HEAD
However this has been used quite widely - and it works in general.