Proxmox ACME with TransIP plugin: _sign: command not found

A

ariejan

New Member
Jul 14, 2021
4
0
1
44
Hi,
I'm trying to setup Let's encrypt/ACME with the transip DNS plugin. Both automated and from the command line (pvenode acme cert renew) will have the dns_transip.sh script throw an error:

Code: 
# pvenode acme cert renew
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/90381790/11066886360

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/14801952309'
The validation for treebeard.lab.devroom.io is pending!
[Wed Jul 14 11:30:36 CEST 2021] Can't read private key file: "/transip.key"
[Wed Jul 14 11:30:36 CEST 2021] Error add txt for domain:_acme-challenge.treebeard.lab.devroom.io
command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup transip treebeard.lab.devroom.io' failed: exit code 1
Task command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup transip treebeard.lab.devroom.io' failed: exit code 1

I know that the _sign method is part of acme.sh, but I'm not sure why it's not used / included here.
 
could you please share the config you set for the transip-dns plugin (make sure to anonymize all sensitive data) - probably best as screenshot...
do you have a `/transip.key` file on the system? - if yes - is it readable as user nobody? (the dns.sh plugins get run as nobody:nogroup as can be seen in the taskoutput)
 
Okay, that was my bad, I copy/pasted the wrong output. /transip.key is readable, yes (the problem was having quotes around the env var value).

Code: 
# pvenode acme cert renew
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/90381790/11066886360

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/14801952309'
The validation for treebeard.lab.devroom.io is pending!
/usr/share/proxmox-acme/dnsapi/dns_transip.sh: line 103: _sign: command not found
[Wed Jul 14 11:31:10 CEST 2021] Can not get token.
[Wed Jul 14 11:31:10 CEST 2021] Error add txt for domain:_acme-challenge.treebeard.lab.devroom.io
command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup transip treebeard.lab.devroom.io' failed: exit code 1
Task command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup transip treebeard.lab.devroom.io' failed: exit code 1

Code: 
# pvenode acme plugin config transip
┌──────────────────┬──────────────────────────────────────────┐
│ key              │ value                                    │
╞══════════════════╪══════════════════════════════════════════╡
│ api              │ transip                                  │
├──────────────────┼──────────────────────────────────────────┤
│ data             │ TRANSIP_Username=*******                 │
│                  │ TRANSIP_Key_File=/transip.key            │
├──────────────────┼──────────────────────────────────────────┤
│ digest           │ **********************************       │
├──────────────────┼──────────────────────────────────────────┤
│ plugin           │ transip                                  │
├──────────────────┼──────────────────────────────────────────┤
│ type             │ dns                                      │
├──────────────────┼──────────────────────────────────────────┤
│ validation-delay │ 300                                      │
└──────────────────┴──────────────────────────────────────────┘
 
ariejan said:
Okay, that was my bad, I copy/pasted the wrong output. /transip.key is readable, yes (the problem was having quotes around the env var value).
Click to expand...
ariejan said:
/usr/share/proxmox-acme/dnsapi/dns_transip.sh: line 103: _sign: command not found
Click to expand...
Thanks - that explains it!
our implementation uses all dns-plugins from acme.sh - but the (shell) wrapper is slightly adapted from acme.sh - and it seems it does not include _sign() ...

could you try adding the _sign() code from acme.sh to `/usr/share/proxmox-acme/proxmox-acme`
(source can be taken from the acme.sh repository) - and see if this works correctly?

Thanks!
 
All right! I copied the _sign function over to the dns_transip.sh script. ( https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L1031-L1085 to be precise) and that seems to resolve the issue:

Code: 
# pvenode acme cert renew
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/90381790/11066886360

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/14801952309'
The validation for treebeard.lab.devroom.io is pending!
[Wed Jul 14 13:02:12 CEST 2021] Creating TXT record.
Add TXT record: _acme-challenge.treebeard.lab.devroom.io
Sleeping 30 seconds to wait for TXT record propagation
Triggering validation
Sleeping for 5 seconds
Status is 'valid', domain 'treebeard.lab.devroom.io' OK!
[Wed Jul 14 13:02:52 CEST 2021] Removing TXT record.
Remove TXT record: _acme-challenge.treebeard.lab.devroom.io

All domains validated!

Creating CSR
Checking order status
Order is ready, finalizing order
valid!

Downloading certificate
Setting pveproxy certificate and key
Restarting pveproxy
Revoking old certificate
Revoke request to CA failed: Error: POST to https://acme-v02.api.letsencrypt.org/acme/revoke-cert
{
  "type": "urn:ietf:params:acme:error:unauthorized",
  "detail": "Certificate is expired",
  "status": 403
}
Task OK

The error on revoking is expected as my old cert expired quite some time ago (this is a home server, not exposed to the interwebs).
 
  • Like
Reactions: ariejan and Moayad
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back