Hi there,
I'm trying to set up a PKI for certificates in my homelab with OpenBao and Knot DNS. I'm running my own DNS because I use my own TLD.
What I'm trying to do is using the Proxmox ACME setup to automatically get certificates from my OpenBao with the ACME DNS-01 challenge. When using the HTTP-01 challenge, PVE can get a cert without any problems, but when using DNS it fails with this error:
I'll attach my truncated knot DNS config as well as a screenshot from the UI config for the Knot DNS challenge plugin in PVE.
My personal suspicion is that proxmox isn't using, or at least not properly, the token I set in the UI. I assume this because a manual setting of a TXT record with the credentials I also used in the UI worked and the error says "NOTAUTH".
Am I missing something? Can I provide more infos, if yes what is needed?
Thanks in advance and regards
I'm trying to set up a PKI for certificates in my homelab with OpenBao and Knot DNS. I'm running my own DNS because I use my own TLD.
What I'm trying to do is using the Proxmox ACME setup to automatically get certificates from my OpenBao with the ACME DNS-01 challenge. When using the HTTP-01 challenge, PVE can get a cert without any problems, but when using DNS it fails with this error:
Bash:
root@PVE:~# pvenode acme cert order --force=1
Loading ACME account details
Placing ACME order
Order URL: https://secrets.my_custom_tld/v1/pki_int/roles/proxmox/acme/order/5b520ce8-REDACTED
Getting authorization details from 'https://secrets.my_custom_tld/v1/pki_int/roles/proxmox/acme/authorization/45072fd5-REDCATED'
The validation for PVE.my_custom_tld is pending!
[Tue May 5 10:14:37 CEST 2026] Adding _acme-challenge.PVE.my_custom_tld. 60 TXT "vcnIUMpRW7HytuUYeGNtA7U6aLYrxuUG4hkS-CO9xp0"
;; ->>HEADER<<- opcode: UPDATE; status: NOTAUTH; id: 51193
;; Flags: qr; ZONE: 1; PREREQ: 0; UPDATE: 0; ADDITIONAL: 0
;; ZONE SECTION:
;; PVE.my_custom_tld. IN SOA
;; ERROR: reply verification (expected a TSIG or SIG(0))
[Tue May 5 10:14:37 CEST 2026] Error updating domain.
[Tue May 5 10:14:37 CEST 2026] Error add txt for domain:_acme-challenge.PVE.my_custom_tld
command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup knot PVE.my_custom_tld' failed: exit code 1
Task command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup knot PVE.my_custom_tld' failed: exit code 1I'll attach my truncated knot DNS config as well as a screenshot from the UI config for the Knot DNS challenge plugin in PVE.
My personal suspicion is that proxmox isn't using, or at least not properly, the token I set in the UI. I assume this because a manual setting of a TXT record with the credentials I also used in the UI worked and the error says "NOTAUTH".
Am I missing something? Can I provide more infos, if yes what is needed?
Thanks in advance and regards
