PVE 7: LE certificate renew fails

thommie · Oct 28, 2021

On PVE 7 I get the following error for the letsencrypt cert renewal (task acmerenewal):

Code:

root@tokoeka ~ # pvenode acme cert renew
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/63630251/35385412630

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/44131491660'
The validation for tokoeka.netzwissen.de is pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds
Status is still 'pending', trying again in 10 seconds
validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/44131491660' failed - status: invalid
Task validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/44131491660' failed - status: invalid

I also get

Code:

root@tokoeka ~ # pvenode acme cert order
400 Parameter verification failed.
force: Custom certificate exists but 'force' is not set.
pvenode acme cert order  [OPTIONS]

The PVE server is online and the current cert is valid until 13 Nov. Any ideas how to debug this on the shell?

fabian · Oct 29, 2021

from the URL in your log output:

"detail": "Fetching http://tokoeka.netzwissen.de/.well-known/acme-challenge/nJ0GOVg41nRj_NokGEJjSOuh8_Inv9wG5AOFG4x4xe4: Timeout during connect (likely firewall problem)",

if you want to retry after verifying your network/firewall is set up correctly, the command you are looking for is 'renew', not 'order'

masteryoda · Oct 30, 2021

thommie said:

On PVE 7 I get the following error for the letsencrypt cert renewal (task acmerenewal):

Code:

root@tokoeka ~ # pvenode acme cert renew
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/63630251/35385412630

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/44131491660'
The validation for tokoeka.netzwissen.de is pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds
Status is still 'pending', trying again in 10 seconds
validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/44131491660' failed - status: invalid
Task validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/44131491660' failed - status: invalid

I also get

Code:

root@tokoeka ~ # pvenode acme cert order
400 Parameter verification failed.
force: Custom certificate exists but 'force' is not set.
pvenode acme cert order  [OPTIONS]

The PVE server is online and the current cert is valid until 13 Nov. Any ideas how to debug this on the shell?

you are better off using a reverse proxy like caddy as it'll make your life easier, i in fact run a caddy in a lxc container and reverse proxy all servers including the pve thro that for SSL

all you need is a Caddyfile with this. Caddy will do the renewal on it own

Code:

{
    # email to use on Let's Encrypt
    email user@foo.com

    # Uncomment for debug
    debug
    # Uncomment for testing cert with staging
    #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}


vm.foo.com {
  reverse_proxy 192.168.11.17:8006  {
    transport http {
        tls
        tls_insecure_skip_verify
    }
    }
}

thommie · Nov 6, 2021

@masteryoda thanks for this idea. Yes, thats an option, but I would solve the ssl stuff with haproxy - anyway, good idea

Search

Search

PVE 7: LE certificate renew fails

thommie

Member

fabian

Proxmox Staff Member

masteryoda

Well-Known Member

thommie

Member

We value your privacy