PVE Unable to Acquire Certificate using ACME DNS Plugin

S

smirk

New Member
Jul 25, 2024
5
1
3
Hi

Bit of background first:

i have created a new PVE Server (8.2.4), the server is sitting within IANA reserved address space (i.e. 192.168.x.x) and goes through NAT to get out to the internet.

I am trying to configure the Certificate configuration to acquire a legitimate certificate via Lets Encrypt, since the server is not exposed to the internet I am using the ACME DNS Plugin to interact with my DNS Registrar (NAME.COM).

I have my user name and API Key set up, I have whitelisted the public IP of my NAT gateway with NAME.COM. I know the credentials are good as I can acquire certificates on another machine (beyond the gateway) using the DNS plugin.

What happens:

When I 'order' a certificate from the Proxmox UI (or even from the CLI using the pvenode command), I simple get the error:

Code: 
[Tue Aug 13 09:41:52 BST 2024] {"message":"Permission Denied"}
[Tue Aug 13 09:41:52 BST 2024] Please add your ip to api whitelist
[Tue Aug 13 09:41:52 BST 2024] Logging in failed.

What I have tried/verified:

I set up the 'legitimate' acme.sh script on the proxmox server using the "curl https://get.acme.sh | sh -s email=my@example.com" command. I entered the necessary credentials for NAME.COM into the accounts.conf file (basically copying the details from the "api" box).

Running the actual acme.sh script acquires a certificate as I would expect.

Since I'm running the actual acme.sh script from the server (and it will be going out through the NAT gateway like all other traffic from the server) and it all works then I can conclude that there is nothing wrong with the credentials, the api key is good, the IP whitelisting is good and generally the NAME.COM set up is good....

Also manually used curl to connect to NAME.COM with my API credentials:

Code: 
curl -u 'NNNNNNNN:XXXXXXXXXXXXXXXXXXXXXXXX' 'https://api.name.com/v4/domains'

And as expected that returned a JSON file with a list of the domains I have registered with NAME.COM

Question

Is the Proxmox version of the acme script for the DNS plugin (especially for NAME.COM) simply [known to be] broken or am I missing some esoteric configuration setting?

Thanks in advance for any info
 
Last edited:
Doing a bit more scratching at this. I had assumed the 'Please add your IP to API whitelist' was coming from the DNS registrar's servers. However, I just manually setup a connection to ZEROSSL which seems to be the CA the ACME.SH uses by default these days. Despite getting working credentials, using ZEROSSL generates the same message about adding IP to the API whitelist. So my guess is it's something internal to the proxmox running on the server.

As an experiment I did change to using cloudflare as my DNS registrar (using Let's Encrypt as the CA), when setting that up in the Proxmox UI you do get a more informative little dialog that asks for account ID and API key, etc rather than a general text box labeled 'api'.....the CloudFlare set up did work so again my presumption there is the cloudflare setup (within Proxmox) is better developed/tested etc
 
@smirk -- did you ever resolve this? I have exactly the same issue with Proxmox 8 trying to issue an ACME certificate for a domain registered with Name.com.

I know my API key and user name is correct as I can issue certificates via PowerShell for other hosts on my home network. I also have ACME set up and working fine/renewing automatically on a Synology NAS so I know that my outbound public IP is correctly whitelisted in the Name portal.

Code: 
[Sat Oct 12 23:15:59 BST 2024] {"message":"Permission Denied"}
[Sat Oct 12 23:15:59 BST 2024] Please add your ip to api whitelist
[Sat Oct 12 23:15:59 BST 2024] Logging in failed.
 
@Arcticpollen - sadly not. I ended up moving my DNS registration to Cloudflare which works like a charm. It's a real shame, as you found there's nothing wrong with the mechanism (API key or whatever, even the stock ACME scripts work). Sadly Proxmox bundling has introduced something that has broken it for NAMED.COM
 
@smirk - apologies, I meant to update my post. I did get it working correctly in the end. The Name.com username is case sensitive and by copying the username and API key directly from their portal into the Proxmox config allowed me to install and force updates to the LE certificate in Proxmox.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom