TLS certificate ACME generation problems

A

aveng

New Member
Proxmox Subscriber
Apr 5, 2022
3
0
1
Hello, we are using PMG v 7.1-2

We started using the integrated ACME, but when the certificates are automatically generated, for some reason, they always contain outdated Let's Encrypt R3 certificate chain which expired in 2021.

This means that TLS with our customers stops working every time the certificate is renewed.

We fix the problem by removing the outdated part of the chain in pmg-api.pem and pmg-tls.pem (it always seems to be the last certificate in the file), but we have to do this every time the certificate is renewed.

Why is this happening?
 
The rationale for this is that it's still the default chain Let's encrypt uses (expecting it to work in most environments):
https://community.letsencrypt.org/t...alternate-certificate-chains-explained/162526


in our experience the longer certificates do work reliably (except with some really old openssl versions, which have a problem with a signed certificate being valid longer than the signing certificate)

In which environment are you running into the issue and what is the concrete error-message?
 
Last edited:
Stoiko Ivanov said:
The rationale for this is that it's still the default chain Let's encrypt uses (expecting it to work in most environments):
https://community.letsencrypt.org/t...alternate-certificate-chains-explained/162526


in our experience the longer certificates do work reliably (except with some really old openssl versions, which have a problem with a signed certificate being valid longer than the signing certificate)

In which environment are you running into the issue and what is the concrete error-message?
Click to expand...
Hello and thank you for your response,
The error-message would be an ndr message containing: "454 certificate expired" from our customer which we established TLS with.

After checking our server on checktls.com, we found out that the chain contains DST Root CA X3 as portrayed in this picture:

1649333548077.png
I looked at the link you provided and it seems that changing ACME to use the short/alternate chain would do the work for us.
Is there a way to set this in the PMG gui?
 
aveng said:
The error-message would be an ndr message containing: "454 certificate expired" from our customer which we established TLS with.
Click to expand...
as said - in my experience most recent versions of TLS libraries handle this quite well - so maybe you could suggest your customer to upgrade.

In any case - sadly the alternative chain selection is not yet available/configurable in the GUI in PMG (or PVE or PBS) - and for now we're not planning on adding it.

You can open an enhancement request over at https://bugzilla.proxmox.com (that way others can subscribe there if they're also affected by this - then we could reconsider adding it)

As a workaround/mitigation for your situation - you can use any other ACME implementation, where this is configurable (acme.sh, certbot...)
 
As suggested, I set up certbot on the server with the alternative chain (option: --preferred-chain 'ISRG Root X1') and it seems to be working fine.
Thank you for your time.
This thread can now be closed.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom