proxmox-backup-manager acme cert order TASK ERROR

V

victorclaessen

New Member
Jun 13, 2025
11
2
3
Hi I'm trying to set up ACME on promox backup server using EAB. I have followed the same procedure as on proxmox VE, but am running into the following problem.

Registering the account works.

Code: 
proxmox-backup-manager acme account info default
┌───────────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Name      │ Value                                                                                                          │
╞═══════════╪════════════════════════════════════════════════════════════════════════════════════════════════════════════════╡
│ account   │ {                                                                                                              │
│           │   "contact": [                                                                                                 │
│           │     "mailto:victor.claessen@hfml-felix.nl"                                                                     │
│           │   ],                                                                                                           │
│           │   "status": "valid"                                                                                            │
│           │ }                                                                                                              │
├───────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ directory │ https://acme-v02.harica.gr/acme/<SNIP>/directory                                 │
├───────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ location  │ https://acme-v02.harica.gr/acme/<SNIP>/acct/<SNIP> │
├───────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ tos       │ https://repo.harica.gr/documents/SA-ToU.pdf                                                                    │
└───────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

But ordering the certificate doesn't.

Code: 
proxmox-backup-manager acme cert order --force true
TASK ERROR: client error (SendRequest)

With tcpdump I can see TLS traffic (back and forth, 47 packets) to acme-v02.harica.gr, but that's encrypted of course. I do not know what goes wrong. This works on proxmox VE.

Is there any way to get more debug information from proxmox-backup-manager so I can try to figure out what goes wrong?

Best regards,

Victor

Edit: When I run cert order from the web interface, I get this:

Code: 
2025-11-19T10:29:05+01:00: Placing ACME order
2025-11-19T10:29:07+01:00: Order URL: https://acme-v02.harica.gr/acme/<SNIP>/order/<SNIP>
2025-11-19T10:29:07+01:00: Getting authorization details from 'https://acme-v02.harica.gr/acme/<SNIP>/authz/<SNIP>'
2025-11-19T10:29:07+01:00: <SNIP> is already validated!
2025-11-19T10:29:07+01:00: Getting authorization details from 'https://acme-v02.harica.gr/acme/<SNIP>/authz/<SNIP>'
2025-11-19T10:29:07+01:00: <SNIP> is already validated!
2025-11-19T10:29:07+01:00: All domains validated
2025-11-19T10:29:07+01:00: Creating CSR
2025-11-19T10:29:09+01:00: order is ready, finalizing
2025-11-19T10:29:18+01:00: notified via target `mail-to-root`
2025-11-19T10:29:18+01:00: TASK ERROR: client error (SendRequest)

Edit 2: In the web interface of the CA (HARICA), I see that the certificate was actually successfully ordered and generated. I can even download it from their website [manually]. So the problem is in downloading or installing locally, I guess?

Edit 3: Running strace on the command doesn't really help me; it looks like this command is just scheduling a task "acme-renew-cert" that is handled in another thread somewhere and then waits for the result. (Excuse me if this is obvious; I'm quite new to proxmox.) I don't know yet how to debug that scheduled task.

Edit 4: Ok `strace -f` helped.
 
Last edited:
I downloaded the certificate manually as cert.pem, and I am now wondering if the problem is that it cannot be verified. The intermediate CA may not be included in the downloaded file. (The root CA is ok, that is trusted.)

Code: 
openssl verify cert.pem
C=NL, L=Nijmegen, O=HFML-FELIX, CN=<SNIP>
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed

Code: 
 openssl verify intermediate.pem
intermediate.pem: OK

Code: 
openssl verify -untrusted intermediate.pem cert.pem
cert.pem: OK
 
The weird thing is, it works fine in pve. I installed proxmox-ve package, and then the acme cert order works right away with the same settings/credentials.
 
does it work using Let's Encrypt (if that is an option you can try!)?
 
how do you do domain validation with Harica?
 
Domains are pre-validated (via the web interface for enterprise admins) and bound to an account, authenticated with key id+hmac key.
 
Last edited:
I see. we had 2-3 reports this week all with this particular CA, and all only affecting PBS, but it seems there is no public access to the CA, so it's a bit tricky to debug.
 
Anything I can do to help? Is there a -debug or -verbose flag available?

For the time being I have used the workaround of also installing pve and piggybacking on the certificates that pvenode acme got.
 
Ah great, my German is just passable but I can follow that thread just fine.

I see (in the German debug log) this connection being reused constantly (pooling...reuse). After the last reuse it jumps straight into the error flow. It does not really say what it wants to use the connection for at that moment.

Is the underlying code open to study somewhere?
 
You must log in or register to reply here.
Top Bottom