[SOLVED] Proxmox ACME Knot DNS challenge fails

S

Spinning_rust

Member
Jul 23, 2021
21
3
23
27
Hi there,

I'm trying to set up a PKI for certificates in my homelab with OpenBao and Knot DNS. I'm running my own DNS because I use my own TLD.

What I'm trying to do is using the Proxmox ACME setup to automatically get certificates from my OpenBao with the ACME DNS-01 challenge. When using the HTTP-01 challenge, PVE can get a cert without any problems, but when using DNS it fails with this error:

Bash: 
root@PVE:~# pvenode acme cert order --force=1
Loading ACME account details
Placing ACME order
Order URL: https://secrets.my_custom_tld/v1/pki_int/roles/proxmox/acme/order/5b520ce8-REDACTED

Getting authorization details from 'https://secrets.my_custom_tld/v1/pki_int/roles/proxmox/acme/authorization/45072fd5-REDCATED'
The validation for PVE.my_custom_tld is pending!
[Tue May  5 10:14:37 CEST 2026] Adding _acme-challenge.PVE.my_custom_tld. 60 TXT "vcnIUMpRW7HytuUYeGNtA7U6aLYrxuUG4hkS-CO9xp0"
;; ->>HEADER<<- opcode: UPDATE; status: NOTAUTH; id: 51193
;; Flags: qr; ZONE: 1; PREREQ: 0; UPDATE: 0; ADDITIONAL: 0

;; ZONE SECTION:
;; PVE.my_custom_tld.        IN    SOA
;; ERROR: reply verification (expected a TSIG or SIG(0))
[Tue May  5 10:14:37 CEST 2026] Error updating domain.
[Tue May  5 10:14:37 CEST 2026] Error add txt for domain:_acme-challenge.PVE.my_custom_tld
command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup knot PVE.my_custom_tld' failed: exit code 1
Task command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup knot PVE.my_custom_tld' failed: exit code 1

I'll attach my truncated knot DNS config as well as a screenshot from the UI config for the Knot DNS challenge plugin in PVE.

My personal suspicion is that proxmox isn't using, or at least not properly, the token I set in the UI. I assume this because a manual setting of a TXT record with the credentials I also used in the UI worked and the error says "NOTAUTH".

Am I missing something? Can I provide more infos, if yes what is needed?

Thanks in advance and regards
 

Attachments

Hi, are you using more then one node? I have a similar issue but only on one of the nodes ..
Where for as far as I can see the config is identical ..

In my case .. I get a "Can not get token" error ..
 
hein.waz said:
Hi, are you using more then one node? I have a similar issue but only on one of the nodes ..
Where for as far as I can see the config is identical ..

In my case .. I get a "Can not get token" error ..
Click to expand...
no, I only have one PVE node and KnotDNS as well as OpenBao is also standalone if that matters.
 
  • Like
Reactions: hein.waz
UPDATE
I found the solution to my problem:
it was the keyname I used, the wrong value for the zone field and the API
for some reason, the knot plugin type does not work, but the generic "nsupdate (RFC 2136)" does

So what made it all work:
knot.conf
Bash: 
key:
  - id: proxmox-acme
    algorithm: hmac-sha512
    secret: (the secret you generated with keymgr)

acl:
  - id: acme_acl
    address: [your, comma, separated, authorized, ip, addresses]
    key: proxmox-acme
    action: update
    update-type: [TXT]
zone:
  - domain: mycustomtld
    acl: acme_acl

proxmox webUI:
- PVE:
Datacenter --> ACME --> Challenge Plugins --> Add --> "nsupdate (RFC 2136)"
Fields:
DNS API: already populated
NSUPDATE_KEY: /path/to/keyfile.key
NSUPDATE_SERVER: according dns auth server
NSUPDATE_ZONE: the DNS ZONE in which you want to get a cert for a domain

- keyfile.key:
Code: 
key "proxmox-acme" {
algorithm hmac-sha512;
secret "same-key-as-in-DNS-config";
};

Notice the same name behind "key" in the keyfile and "id" in the DNS config. this was the issue that prevented stuff from working for me


I had a hard time figuring this out, maybe this will help someone else with a similar problem.

To anyone in the future: Feel free to respond to this if you run into issues, maybe I can help debug if this didn't solve your problem.
 
  • Like
Reactions: Onslow
You must log in or register to reply here.
Top Bottom
Back