Renew Certificate failed

Tealk · Jul 19, 2022

Hello all,

I have a new Proxmox server since May and also created a LE certificate there via ACME. When renewing I get since 11 July the error mentioned below.

Task outpu:

Code:

Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/539227216/108121821606

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/132235682956'
The validation for proxmox.rollenspiel.network is pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds

TASK ERROR: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/132235682956' failed - status: invalid

pvenode cert info

Code:

┌─────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────┐
│ filename        │ pve-root-ca.pem                                                                                  │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ fingerprint     │ EA:05:B0:20:5E:9F:A4:E9:B7:7B:FE:6C:C9:D5:77:25:F8:6A:E4:3D:F0:9A:AD:71:1E:4F:0C:2F:E7:79:53:45  │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ subject         │ /CN=Proxmox Virtual Environment/OU=d27d0e8a-b6ab-45db-bb57-2dbda1cfa1d0/O=PVE Cluster Manager CA │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ issuer          │ /CN=Proxmox Virtual Environment/OU=d27d0e8a-b6ab-45db-bb57-2dbda1cfa1d0/O=PVE Cluster Manager CA │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notbefore       │ 2022-05-10 21:15:06                                                                              │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notafter        │ 2032-05-07 21:15:06                                                                              │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-type │ rsaEncryption                                                                                    │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-bits │ 4096                                                                                             │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ san             │ []                                                                                               │
└─────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────┐
│ filename        │ pve-ssl.pem                                                                                      │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ fingerprint     │ 42:6C:48:23:1C:5B:23:30:25:F5:58:0D:A5:6F:3B:0E:16:83:4A:17:44:5F:77:55:24:5C:96:AD:1E:40:50:98  │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ subject         │ /OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=proxmox                                    │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ issuer          │ /CN=Proxmox Virtual Environment/OU=d27d0e8a-b6ab-45db-bb57-2dbda1cfa1d0/O=PVE Cluster Manager CA │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notbefore       │ 2022-05-10 21:15:06                                                                              │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notafter        │ 2024-05-09 21:15:06                                                                              │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-type │ rsaEncryption                                                                                    │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-bits │ 2048                                                                                             │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ san             │ - 127.0.0.1                                                                                      │
│                 │ - 0000:0000:0000:0000:0000:0000:0000:0001                                                        │
│                 │ - localhost                                                                                      │
│                 │ - 162.55.131.56                                                                                  │
│                 │ - proxmox                                                                                        │
└─────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────┐
│ filename        │ pveproxy-ssl.pem                                                                                │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ fingerprint     │ BA:31:CA:C8:C4:CE:A4:34:D5:8A:8A:32:02:75:B0:55:8D:B3:38:F0:19:7E:B8:4C:00:7A:FA:68:F3:89:42:00 │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ subject         │ /CN=proxmox.rollenspiel.network                                                                 │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ issuer          │ /C=US/O=Let's Encrypt/CN=R3                                                                     │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notbefore       │ 2022-05-11 20:16:30                                                                             │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notafter        │ 2022-08-09 20:16:29                                                                             │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-type │ rsaEncryption                                                                                   │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-bits │ 4096                                                                                            │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ san             │ - proxmox.rollenspiel.network                                                                   │
└─────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────┘

pvenode acme cert renew

Code:

Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/539227216/108121821606

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/132235682956'
The validation for proxmox.rollenspiel.network is pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds
validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/132235682956' failed - status: invalid
Task validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/132235682956' failed - status: invalid

t.lamprecht · Jul 19, 2022

Hi,

From the let's encrypt status/error we can see that the HTTP challenge is used for this setup, that means that HTTP port 80 must be free for PVE to use during a renewal so that it can provide the challenge/response data there for Let's Encrypt.

But, if one opens http://proxmox.rollenspiel.network/ one gets a 404 HTTP response from openresty, that means there's already a permanent HTTP server running there, which will interfere with the HTTP challenge for ACME certificates.

Either configure that service (which is probably active since ~ 11th July) so that it doesn't plainly listen on public IPs on port 80, stop it or switch to a challenge method that doesn't rely on HTTP requests to the host, like the DNS challenge.

Tealk · Jul 19, 2022

but there is no webserver running on the server

Code:

netstat -tunlp | grep :80
tcp6       0      0 :::8006                 :::*                    LISTEN      1821/pveproxy

//Edit
i have an idea where it comes from, i forward all ports except 22 and 8006 to the nginx proxy manager

Code:

    post-up iptables -t nat -A PREROUTING -i vmbr2 -p tcp ! -s 162.55.131.58/32 -m multiport ! --dport 22,8006 -j DNAT --to 10.0.0.2
    post-up iptables -t nat -A PREROUTING -i vmbr2 -p udp ! -s 162.55.131.58/32 -j DNAT --to 10.0.0.2

now i just have to figure out how to get around this, because there is no dns module for my domain registrar

Search

Search

Renew Certificate failed

Tealk

Member

t.lamprecht

Proxmox Staff Member

Tealk

Member