"Proxmox ACME DNS not working in 8.2.2:

[hein.waz]

Hello,

In Datacenter>ACME: I have created a configuration for transip with:

And I have created and associated an Account configuring the challenge Plugin,

(redacted for obvious reasons):
However when I try to get a certificate for the PVE instance I get the following error:

Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxxxxxxxxxxx

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxxxxxx'
The validation for pve.**********.nl is pending!
[Fri Jun 7 11:43:08 CEST 2024] Key file doesn't seem to be a valid key: /etc/pve/myS.key
[Fri Jun 7 11:43:08 CEST 2024] Error add txt for domain:_acme-challenge.pve>*********.nl
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup transip pve.********t.nl' failed: exit code 1

So it does not understand the Private Key that I am sending with the request.
as I am using the same API key in a python script for checking the certificate status the key is valid and correct.

Does anybody have any idea what a next step would need to be? I think "PVE transip script" is perhaps expecting a different Encryption algorithm?
resulting in not being able to sign the request appropriately.

My working theory is that this issue is related to the /usr/share/proxmox-acme/dnsapi/dns_transip.sh.
expecting the key to be an RSA Private Key, but the actual private key seems to be base 64 encoded.

I will let you know how it works out, but if anybody knows of a solution I would be grateful.

 

[Village6677]

Hi,

no solution here. Same issue though. Using proxmox 8.2.4 and acme with dns (transip)


So you're not alone . Been searching online and no solution. And all my attempts are failing so far. Hoping someone can give the solution.

PS. I verified the keyfile. Using the same one in my traefik reverse proxy and it just works.

 

[weehooey-bh]

Does your key file start with the text "BEGIN PRIVATE KEY"?

If it does not, add it and try again.

Note: This is case-sensitive.

 

[Village6677]

Hi,

it, in fact, does begin with BEGIN PRIVATE KEY (and END PRIVATE KEY of course). Blurred out the key itself

 

[weehooey-bh]

Hi,

it, in fact, does begin with BEGIN PRIVATE KEY (and END PRIVATE KEY of course). Blurred out the key itself
View attachment 71928

I have dug through the source code of both Proxmox VE and acme.sh.

The error you are getting is from this file: /usr/share/proxmox-acme/dnsapi/dns_transip.sh

In particular, this part:

if [ -f "$TRANSIP_Key_File" ]; then
    if ! grep "BEGIN PRIVATE KEY" "$TRANSIP_Key_File" >/dev/null 2>&1; then
      _err "Key file doesn't seem to be a valid key: ${TRANSIP_Key_File}"
      return 1
    fi
  else
    _err "Can't read private key file: ${TRANSIP_Key_File}"
    return 1
  fi

All it requires is the file contains BEGIN PRIVATE KEY. Your does. You have verified that the key works. So, based on that, the if statement above is getting the wrong information.

I looked at the PVE ACME plugins I use and the acme.sh code, both do base64 encoding of data in the configuration files.

I suspect that PVE is decoding your file and presenting the contents to the TRANSIP plugin somewhere before presenting it to the script above.

I would try base 64 encoding the contents of your key file and try that. Here is a StackOverflow article: https://stackoverflow.com/questions...t-of-base64-encode-on-a-file-to-the-same-file

 

[Village6677]

First of all thank you for the help and the time to look into it.

I used the following command to convert the file to base64 encoding:

base64 transip.base.key > transip.base64.key

The result file looks different:


And checked the contents. It was changed and I could convert it back to the original using:

 base64 --decode /etc/pve/transip.base64.key

However using the base64 encoded file still gives the same result.


So it could be I made a mistake converting the file or the issue is something else and not the encoding?

 

[weehooey-bh]

You are welcome for the help.

Yes, your encoding looks as I would expect. It may be using a different encoding, although I may be wrong about where the error is coming from.

Please only take this next step if you are comfortable editing code. You will be messing with the guts of PVE. Also, if you happen to update your PVE, any change you make will likely be overwritten.

If you make a "harmless" change to the error text, you can confirm that the error message comes from the script. Before doing this, you may also want to make a backup copy of the file.

In this file: /usr/share/proxmox-acme/dnsapi/dns_transip.sh

Find these lines:

if [ -f "$TRANSIP_Key_File" ]; then
    if ! grep "BEGIN PRIVATE KEY" "$TRANSIP_Key_File" >/dev/null 2>&1; then
      _err "Key file doesn't seem to be a valid key: ${TRANSIP_Key_File}"
      return 1
    fi
  else
    _err "Can't read private key file: ${TRANSIP_Key_File}"
    return 1
  fi

Then, modify the error message so that you can see the change when it appears in the PVE Task. For example, change the word valid in seem to be a valid key to seem to be a VALID key. Changing the text of the error message like that should not impact the code's operation. But you will see that change in the error output.

Kick off the certificate order and see what happens in the error message.

If you see "VALID," we will confirm that it is the place in the code where it is failing.

If it is the right place, I will dive deeper into the code to see why it fails. If it is not the right place, I will try to find the right place.

 

[debier]

I had the same troubles, it was just a rights issue. "chmod 660 transip.key" fixed it for me.

chmod: veranderen van toegangsrechten van '/etc/pve/transip.key': Actie is niet toegestaan (action is not allowed)

instead of /etc/pve i used /etc/ssl and all was good after the chmod.

 

[Village6677]

Hi debier,
thnx for the suggestion. I copied the key file to /etc/ssl and set the permissions (chmod 660). Then changed the acme config inside proxmox. Requested a new cert but still the same error.

[Sun Aug 4 17:52:04 CEST 2024] Key file doesn't seem to be a valid key: /etc/ssl/transip.key

So then I tried the suggestion weehooey-bh gave. Made a backup of the sh file and added some text

  if [ -f "$TRANSIP_Key_File" ]; then
    if ! grep "BEGIN PRIVATE KEY" "$TRANSIP_Key_File" >/dev/null 2>&1; then
      _err "Oww Nooooo Key file doesn't seem to be a valid key: ${TRANSIP_Key_File}"
      return 1
    fi
  else
    _err "Can't read private key file: ${TRANSIP_Key_File}"
    return 1
  fi

And it appears in proxmox so this is the check/step causing the issue

 

[debier]

Also change the, acme.

TRANSIP_Username=username
TRANSIP_Key_File=/etc/ssl/transip.key

The error stil gives /etc/pve

 

[weehooey-bh]

Hi debier,
thnx for the suggestion. I copied the key file to /etc/ssl and set the permissions (chmod 660). Then changed the acme config inside proxmox. Requested a new cert but still the same error.

[Sun Aug 4 17:52:04 CEST 2024] Key file doesn't seem to be a valid key: /etc/ssl/transip.key

So then I tried the suggestion weehooey-bh gave. Made a backup of the sh file and added some text

  if [ -f "$TRANSIP_Key_File" ]; then
    if ! grep "BEGIN PRIVATE KEY" "$TRANSIP_Key_File" >/dev/null 2>&1; then
      _err "Oww Nooooo Key file doesn't seem to be a valid key: ${TRANSIP_Key_File}"
      return 1
    fi
  else
    _err "Can't read private key file: ${TRANSIP_Key_File}"
    return 1
  fi

And it appears in proxmox so this is the check/step causing the issue
View attachment 72399

Thanks for trying this (love the change text ). We now know this is where it is failing.

Looking at the command, it is looking for "BEGIN PRIVATE KEY" and you tested adding that to the contents of the file.

This suggests that the private key file is not making it here or is being manipulated in some way.

I will take a closer look.

 

[Village6677]

Also change the, acme.

TRANSIP_Username=username
TRANSIP_Key_File=/etc/ssl/transip.key

The error stil gives /etc/pve

Hi debier, thanks for pointing this out. I did change the location in the ACME config the first time. See the logline I posted in my previous post:
[Sun Aug 4 17:52:04 CEST 2024] Key file doesn't seem to be a valid key: /etc/ssl/transip.key

 

[debier]

Strange, because of your error i tried again, to add another certificate, now for me it also failed same error?
Very weird, now because it seems to be a rights issue .

Now i tried chmod 777 /etc/ssl/transip.key

And this time it worked again... very weird.


Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/...

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/a...
pve-nl.*** is already validated!

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/'
The validation for pve-local.*** is pending!
[Sun Aug 4 22:07:40 CEST 2024] Creating TXT record.
Add TXT record: _acme-challenge.pve-local.***
Sleeping 30 seconds to wait for TXT record propagation
Triggering validation
Sleeping for 5 seconds
Status is 'valid', domain 'pve-local.***' OK!
[Sun Aug 4 22:08:20 CEST 2024] Removing TXT record.
Remove TXT record: _acme-challenge.pve-local.****

All domains validated!

Creating CSR
Checking order status
Order is ready, finalizing order
valid!

Downloading certificate
Setting pveproxy certificate and key
Restarting pveproxy
TASK OK

 

[Village6677]

Can confirm it works: I copied the private key again to /etc/ssl
run chmod 777 to the key (permissions wide open on the key is not really something I prefer).
The changed my config and requested a new cert:

It works!

Changing the permissions of the file inside /etc/pve is impossible (chmod: changing permissions of 'transip.key': Operation not permitted)
But what is the recommended place for the private key? So permissions aren't wide open. And the error message is not really helpful in this case...

 

[hein.waz]

Hi, moving the file /etc/pve/transip.key to /etc/ssl/transip.key and then chmod 660 /etc/ssl/transip.key
will solve the issue.

I was stuck on a red herring with the groups.