proxmox-backup-manager acme cert order TASK ERROR

[victorclaessen]

Hi I'm trying to set up ACME on promox backup server using EAB. I have followed the same procedure as on proxmox VE, but am running into the following problem.

Registering the account works.

proxmox-backup-manager acme account info default
┌───────────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Name      │ Value                                                                                                          │
╞═══════════╪════════════════════════════════════════════════════════════════════════════════════════════════════════════════╡
│ account   │ {                                                                                                              │
│           │   "contact": [                                                                                                 │
│           │     "mailto:victor.claessen@hfml-felix.nl"                                                                     │
│           │   ],                                                                                                           │
│           │   "status": "valid"                                                                                            │
│           │ }                                                                                                              │
├───────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ directory │ https://acme-v02.harica.gr/acme/<SNIP>/directory                                 │
├───────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ location  │ https://acme-v02.harica.gr/acme/<SNIP>/acct/<SNIP> │
├───────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ tos       │ https://repo.harica.gr/documents/SA-ToU.pdf                                                                    │
└───────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

But ordering the certificate doesn't.

proxmox-backup-manager acme cert order --force true
TASK ERROR: client error (SendRequest)

With tcpdump I can see TLS traffic (back and forth, 47 packets) to acme-v02.harica.gr, but that's encrypted of course. I do not know what goes wrong. This works on proxmox VE.

Is there any way to get more debug information from proxmox-backup-manager so I can try to figure out what goes wrong?

Best regards,

Victor

Edit: When I run cert order from the web interface, I get this:

2025-11-19T10:29:05+01:00: Placing ACME order
2025-11-19T10:29:07+01:00: Order URL: https://acme-v02.harica.gr/acme/<SNIP>/order/<SNIP>
2025-11-19T10:29:07+01:00: Getting authorization details from 'https://acme-v02.harica.gr/acme/<SNIP>/authz/<SNIP>'
2025-11-19T10:29:07+01:00: <SNIP> is already validated!
2025-11-19T10:29:07+01:00: Getting authorization details from 'https://acme-v02.harica.gr/acme/<SNIP>/authz/<SNIP>'
2025-11-19T10:29:07+01:00: <SNIP> is already validated!
2025-11-19T10:29:07+01:00: All domains validated
2025-11-19T10:29:07+01:00: Creating CSR
2025-11-19T10:29:09+01:00: order is ready, finalizing
2025-11-19T10:29:18+01:00: notified via target `mail-to-root`
2025-11-19T10:29:18+01:00: TASK ERROR: client error (SendRequest)

Edit 2: In the web interface of the CA (HARICA), I see that the certificate was actually successfully ordered and generated. I can even download it from their website [manually]. So the problem is in downloading or installing locally, I guess?

Edit 3: Running strace on the command doesn't really help me; it looks like this command is just scheduling a task "acme-renew-cert" that is handled in another thread somewhere and then waits for the result. (Excuse me if this is obvious; I'm quite new to proxmox.) I don't know yet how to debug that scheduled task.

Edit 4: Ok `strace -f` helped.

 

[victorclaessen]

I downloaded the certificate manually as cert.pem, and I am now wondering if the problem is that it cannot be verified. The intermediate CA may not be included in the downloaded file. (The root CA is ok, that is trusted.)

openssl verify cert.pem
C=NL, L=Nijmegen, O=HFML-FELIX, CN=<SNIP>
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed

 openssl verify intermediate.pem
intermediate.pem: OK

openssl verify -untrusted intermediate.pem cert.pem
cert.pem: OK

 

[victorclaessen]

The weird thing is, it works fine in pve. I installed proxmox-ve package, and then the acme cert order works right away with the same settings/credentials.

 

[fabian]

does it work using Let's Encrypt (if that is an option you can try!)?

 

[victorclaessen]

I don't think I can get this to work, as there is no acme plugin for my DNS provider.

 

[fabian]

how do you do domain validation with Harica?

 

[victorclaessen]

Domains are pre-validated (via the web interface for enterprise admins) and bound to an account, authenticated with key id+hmac key.

 

[fabian]

I see. we had 2-3 reports this week all with this particular CA, and all only affecting PBS, but it seems there is no public access to the CA, so it's a bit tricky to debug.