Renew Certificate failed

Tealk

Tealk

Active Member
Proxmox Subscriber
Sep 28, 2020
105
7
38
Hello all,

I have a new Proxmox server since May and also created a LE certificate there via ACME. When renewing I get since 11 July the error mentioned below.

Task outpu:
Code: 
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/539227216/108121821606

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/132235682956'
The validation for proxmox.rollenspiel.network is pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds

TASK ERROR: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/132235682956' failed - status: invalid

pvenode cert info
Code: 
┌─────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────┐
│ filename        │ pve-root-ca.pem                                                                                  │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ fingerprint     │ EA:05:B0:20:5E:9F:A4:E9:B7:7B:FE:6C:C9:D5:77:25:F8:6A:E4:3D:F0:9A:AD:71:1E:4F:0C:2F:E7:79:53:45  │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ subject         │ /CN=Proxmox Virtual Environment/OU=d27d0e8a-b6ab-45db-bb57-2dbda1cfa1d0/O=PVE Cluster Manager CA │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ issuer          │ /CN=Proxmox Virtual Environment/OU=d27d0e8a-b6ab-45db-bb57-2dbda1cfa1d0/O=PVE Cluster Manager CA │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notbefore       │ 2022-05-10 21:15:06                                                                              │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notafter        │ 2032-05-07 21:15:06                                                                              │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-type │ rsaEncryption                                                                                    │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-bits │ 4096                                                                                             │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ san             │ []                                                                                               │
└─────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────┐
│ filename        │ pve-ssl.pem                                                                                      │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ fingerprint     │ 42:6C:48:23:1C:5B:23:30:25:F5:58:0D:A5:6F:3B:0E:16:83:4A:17:44:5F:77:55:24:5C:96:AD:1E:40:50:98  │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ subject         │ /OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=proxmox                                    │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ issuer          │ /CN=Proxmox Virtual Environment/OU=d27d0e8a-b6ab-45db-bb57-2dbda1cfa1d0/O=PVE Cluster Manager CA │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notbefore       │ 2022-05-10 21:15:06                                                                              │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notafter        │ 2024-05-09 21:15:06                                                                              │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-type │ rsaEncryption                                                                                    │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-bits │ 2048                                                                                             │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ san             │ - 127.0.0.1                                                                                      │
│                 │ - 0000:0000:0000:0000:0000:0000:0000:0001                                                        │
│                 │ - localhost                                                                                      │
│                 │ - 162.55.131.56                                                                                  │
│                 │ - proxmox                                                                                        │
└─────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────┐
│ filename        │ pveproxy-ssl.pem                                                                                │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ fingerprint     │ BA:31:CA:C8:C4:CE:A4:34:D5:8A:8A:32:02:75:B0:55:8D:B3:38:F0:19:7E:B8:4C:00:7A:FA:68:F3:89:42:00 │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ subject         │ /CN=proxmox.rollenspiel.network                                                                 │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ issuer          │ /C=US/O=Let's Encrypt/CN=R3                                                                     │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notbefore       │ 2022-05-11 20:16:30                                                                             │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notafter        │ 2022-08-09 20:16:29                                                                             │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-type │ rsaEncryption                                                                                   │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-bits │ 4096                                                                                            │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ san             │ - proxmox.rollenspiel.network                                                                   │
└─────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────┘

pvenode acme cert renew
Code: 
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/539227216/108121821606

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/132235682956'
The validation for proxmox.rollenspiel.network is pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds
validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/132235682956' failed - status: invalid
Task validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/132235682956' failed - status: invalid
 
Hi,

From the let's encrypt status/error we can see that the HTTP challenge is used for this setup, that means that HTTP port 80 must be free for PVE to use during a renewal so that it can provide the challenge/response data there for Let's Encrypt.

But, if one opens http://proxmox.rollenspiel.network/ one gets a 404 HTTP response from openresty, that means there's already a permanent HTTP server running there, which will interfere with the HTTP challenge for ACME certificates.

Either configure that service (which is probably active since ~ 11th July) so that it doesn't plainly listen on public IPs on port 80, stop it or switch to a challenge method that doesn't rely on HTTP requests to the host, like the DNS challenge.
 
Last edited:
but there is no webserver running on the server
Code: 
netstat -tunlp | grep :80
tcp6       0      0 :::8006                 :::*                    LISTEN      1821/pveproxy

//Edit
i have an idea where it comes from, i forward all ports except 22 and 8006 to the nginx proxy manager
Code: 
    post-up iptables -t nat -A PREROUTING -i vmbr2 -p tcp ! -s 162.55.131.58/32 -m multiport ! --dport 22,8006 -j DNAT --to 10.0.0.2
    post-up iptables -t nat -A PREROUTING -i vmbr2 -p udp ! -s 162.55.131.58/32 -j DNAT --to 10.0.0.2

now i just have to figure out how to get around this, because there is no dns module for my domain registrar
 
Last edited:
You must log in or register to reply here.
Top Bottom