PVE 8.3-1 have the ACME running errors bug

D

doraemon2011

New Member
Mar 10, 2025
6
1
3
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/2259718345/362125699506

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz/2259718345/487639047236'
The validation for yun.iteait.com is pending!
[Mon Mar 10 21:10:54 CST 2025] Error add txt for domain:_acme-challenge.yun.iteait.com
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup ali yun.iteait.com' failed: exit code 1

find the logs:
Mar 10 21:33:51 huian pvedaemon[106637]: <root@pam> starting task UPID:huian:000D08EF:014D8EF7:67CEEA3F:acmenewcert::root@pam:
Mar 10 21:33:59 huian pvedaemon[854255]: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup ali yun.iteait.com' failed: exit code 1
Mar 10 21:33:59 huian pvedaemon[106637]: <root@pam> end task UPID:huian:000D08EF:014D8EF7:67CEEA3F:acmenewcert::root@pam: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup ali yun.iteait.com' failed: exit code 1


I use the dnsapi_ali, and I can confirmed the ali_key and ali_secret was correct.
On annother PVE,the dnsapi_ali was running correct.

Like this:
Feb 26 02:53:29 pve pveupdate[3328086]: Loading ACME account details
Feb 26 02:53:29 pve pveupdate[3328086]: Placing ACME order
Feb 26 02:53:33 pve pveupdate[3328086]: Order URL: https://acme-v02.api.letsencrypt.org/acme/order/1697758457/357955434525
Feb 26 02:53:33 pve pveupdate[3328086]: Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz/1697758457/481408892105'
Feb 26 02:53:35 pve pveupdate[3328086]: The validation for 9168.cloud is pending!
Feb 26 02:53:37 pve pveupdate[3328086]: Add TXT record: _acme-challenge.9168.cloud
Feb 26 02:53:37 pve pveupdate[3328086]: Sleeping 30 seconds to wait for TXT record propagation
Feb 26 02:54:07 pve pveupdate[3328086]: Triggering validation
Feb 26 02:54:08 pve pveupdate[3328086]: Sleeping for 5 seconds
Feb 26 02:54:15 pve pveupdate[3328086]: Status is 'valid', domain '9168.cloud' OK!
Feb 26 02:54:22 pve pveupdate[3328086]: Remove TXT record: _acme-challenge.9168.cloud
Feb 26 02:54:22 pve pveupdate[3328086]: All domains validated!
Feb 26 02:54:22 pve pveupdate[3328086]: Creating CSR
Feb 26 02:54:25 pve pveupdate[3328086]: Checking order status
Feb 26 02:54:26 pve pveupdate[3328086]: Order is ready, finalizing order
Feb 26 02:54:35 pve pveupdate[3328086]: valid!
Feb 26 02:54:35 pve pveupdate[3328086]: Downloading certificate
Feb 26 02:54:37 pve pveupdate[3328086]: Setting pveproxy certificate and key
Feb 26 02:54:37 pve pveupdate[3328086]: Restarting pveproxy
 
Last edited:
I encountered the same problem, and I am also using the Ali DNS plugin. I noticed that this problem occurs when using libproxmox-acme-plugins:1.6.0. When I rolled it back to 1.5.1, everything was normal. Is this a new problem introduced in 1.6.0?
 
  • Like
Reactions: TechQI
xzzpig said:
I encountered the same problem, and I am also using the Ali DNS plugin. I noticed that this problem occurs when using libproxmox-acme-plugins:1.6.0. When I rolled it back to 1.5.1, everything was normal. Is this a new problem introduced in 1.6.0?
Click to expand...
yes,when i upgrade pve 8.2.2 to 8.3.5, I found the problem is reappears. Thank you for your help. I have also successfully downgraded libproxmox-acme-plugins from version 1.6.0 to version 1.5.1, and now I can use the acme plugin normally. I don't know how to report the problem to the developer of libproxmox-acme-plugins.
 
  • Like
Reactions: TechQI
xzzpig said:
I encountered the same problem, and I am also using the Ali DNS plugin. I noticed that this problem occurs when using libproxmox-acme-plugins:1.6.0. When I rolled it back to 1.5.1, everything was normal. Is this a new problem introduced in 1.6.0?
Click to expand...
临时降级解决了,谢谢~ Thank You
 
Environment:
  • Proxmox VE Version: 9.0.11
  • ACME Plugin Package: libproxmox-acme-plugins (v1.7.0)
  • DNS Plugin: dns_ali (Built-in)
Issue Analysis:
When attempting to issue a certificate using Alibaba Cloud (Aliyun) DNS, the process fails with Error add txt for domain. Enabling debug mode reveals that the Alibaba Cloud API returns a SignatureDoesNotMatch error.

This occurs because the Alibaba Cloud API strictly requires hexadecimal characters in URL encoding to be uppercase (e.g., %3A instead of %3a). However, the _url_encode function in the Proxmox internal acme.sh wrapper script (proxmox-acme) defaults to lowercase output. This causes a mismatch between the locally calculated signature and the one expected by the server.

One-Liner Fix:
Run the following command in your Proxmox shell. This sed command patches proxmox-acme to enable upper-hex support in the _url_encode function.

Code: 
sed -i -e '/^_url_encode() {/a \  _mode=$1' -e '/printf '\''%%%s'\'' "$_hex_code"/c\        if [ "$_mode" = "upper-hex" ]; then printf '\''%%%s'\'' "$(echo "$_hex_code" | tr '\''a-z'\'' '\''A-Z'\'')"; else printf '\''%%%s'\'' "$_hex_code"; fi' /usr/share/proxmox-acme/proxmox-acme

Verification:
After running the command, you can immediately retry the certificate order from the Proxmox web interface. It should now succeed without requiring a service restart.
 
You must log in or register to reply here.
Top Bottom