Environment:
When attempting to issue a certificate using Alibaba Cloud (Aliyun) DNS, the process fails with Error add txt for domain. Enabling debug mode reveals that the Alibaba Cloud API returns a SignatureDoesNotMatch error.
This occurs because the Alibaba Cloud API strictly requires hexadecimal characters in URL encoding to be uppercase (e.g., %3A instead of %3a). However, the _url_encode function in the Proxmox internal acme.sh wrapper script (proxmox-acme) defaults to lowercase output. This causes a mismatch between the locally calculated signature and the one expected by the server.
One-Liner Fix:
Run the following command in your Proxmox shell. This sed command patches proxmox-acme to enable upper-hex support in the _url_encode function.
Verification:
After running the command, you can immediately retry the certificate order from the Proxmox web interface. It should now succeed without requiring a service restart.
- Proxmox VE Version: 9.0.11
- ACME Plugin Package: libproxmox-acme-plugins (v1.7.0)
- DNS Plugin: dns_ali (Built-in)
When attempting to issue a certificate using Alibaba Cloud (Aliyun) DNS, the process fails with Error add txt for domain. Enabling debug mode reveals that the Alibaba Cloud API returns a SignatureDoesNotMatch error.
This occurs because the Alibaba Cloud API strictly requires hexadecimal characters in URL encoding to be uppercase (e.g., %3A instead of %3a). However, the _url_encode function in the Proxmox internal acme.sh wrapper script (proxmox-acme) defaults to lowercase output. This causes a mismatch between the locally calculated signature and the one expected by the server.
One-Liner Fix:
Run the following command in your Proxmox shell. This sed command patches proxmox-acme to enable upper-hex support in the _url_encode function.
Code:
sed -i -e '/^_url_encode() {/a \ _mode=$1' -e '/printf '\''%%%s'\'' "$_hex_code"/c\ if [ "$_mode" = "upper-hex" ]; then printf '\''%%%s'\'' "$(echo "$_hex_code" | tr '\''a-z'\'' '\''A-Z'\'')"; else printf '\''%%%s'\'' "$_hex_code"; fi' /usr/share/proxmox-acme/proxmox-acmeVerification:
After running the command, you can immediately retry the certificate order from the Proxmox web interface. It should now succeed without requiring a service restart.
