[TUTORIAL] Subject Alternative Name in Certificates & adding additional DNS API procedure

racitup

New Member
Dec 9, 2021
16
0
1
42
I have been able to add a new DNS API script to acme.sh for Mythic Beasts, load it and use it with Proxmox according to this thread.
1. Put your script in here:
Code:
/usr/share/proxmox-acme/dnsapi

2. You no longer need to edit the perl file according to that thread, instead you change it here:
Code:
/usr/share/proxmox-acme/dns-challenge-schema.json

3. Then restart pveproxy & pvedaemon
Code:
service pveproxy restart
service pvedaemon restart

4. You need to log into Proxmox as root, otherwise the ACME option under Datacenter does not appear. Configure your plugins with credentials

5. Go to PVE Node -> System -> Certificates to add in new domain names

The self-signed certificate has several Subject Alternative Names (SANs) (localhost, 127.0.0.1, IP, domain, etc...).
Adding more domains to the list in Proxmox adds the domains into a single certificate, which is awesome!

For future reference, how do I contribute my dns-challenge-schema.json file? I couldn't find an up-to-date proxmox-acme repo.
My acme.sh script will eventually make it into their release no doubt and then be included in the Proxmox release.
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,473
1,392
164
For future reference, how do I contribute my dns-challenge-schema.json file? I couldn't find an up-to-date proxmox-acme repo.
My acme.sh script will eventually make it into their release no doubt and then be included in the Proxmox release.

the repo is here, you can send a patch once the plugin is included in acme.sh (refer to the developer docs for details ;))
 

racitup

New Member
Dec 9, 2021
16
0
1
42
the repo is here, you can send a patch once the plugin is included in acme.sh (refer to the developer docs for details ;))
Awesome, thanks!

Another related question, are you planning to include a feature where you choose which domain in the ACME list becomes the primary certificate domain that is displayed in the browser (is this the Subject?)? I have updated my certificate a couple of times and it appears to take the highest on the list alphabetically which may not always be desirable, e.g. www.domain.com.
 
Last edited:

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,473
1,392
164
Awesome, thanks!

Another related question, are you planning to include a feature where you choose which domain in the ACME list becomes the primary certificate domain that is displayed in the browser (is this the Subject?)? I have updated my certificate a couple of times and it appears to take the highest on the list alphabetically which may not always be desirable, e.g. www.domain.com.
it makes no difference which one is in the CN, the certificate is valid for all of them anyway?
 

racitup

New Member
Dec 9, 2021
16
0
1
42
it makes no difference which one is in the CN, the certificate is valid for all of them anyway?
Yes but the CN is visible when people investigate the certificate in the browser, SAN is not. Seems odd to give people the functionality to have multiple domains but not let them choose the visible primary one.

The functionality is so handy I'm using the cert for my main web proxy, so that's the other reason.
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,473
1,392
164
feel free to file a feature request at bugzilla.proxmox.com - but it will probably be lower priority since it's mostly cosmetic ;) and taking a cursory glance at the acme spec, whether the 'first' domain gets put into the CN is implementation specific and not guaranteed AFAICT.
 

racitup

New Member
Dec 9, 2021
16
0
1
42
feel free to file a feature request at bugzilla.proxmox.com - but it will probably be lower priority since it's mostly cosmetic ;) and taking a cursory glance at the acme spec, whether the 'first' domain gets put into the CN is implementation specific and not guaranteed AFAICT.
It appears the client specifies the Subject in the CSR defined by RFC2986
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,473
1,392
164
ah yeah, that makes sense :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!