Unable to get certificate (ACME/Cloudflare DNS plugin)

[Fra]

While ordering the certificate I get:

2021-07-31T17:48:11+02:00: Placing ACME order
2021-07-31T17:48:12+02:00: Order URL: https://acme-v02.api.letsencrypt.org/acme/order/...........
2021-07-31T17:48:12+02:00: Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/..........'
2021-07-31T17:48:12+02:00: The validation for pbs.xxx.yyy is pending
2021-07-31T17:48:12+02:00: Setting up validation plugin
2021-07-31T17:48:16+02:00: [Sat Jul 31 17:48:16 CEST 2021] Adding record

2021-07-31T17:48:17+02:00: [Sat Jul 31 17:48:17 CEST 2021] Added, OK

2021-07-31T17:48:17+02:00: Triggering validation
2021-07-31T17:48:18+02:00: Sleeping for 5 seconds
2021-07-31T17:48:28+02:00: TASK ERROR: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/............' failed - status: Invalid

this only on proxmox-pbs, while on proxmox-pve everything works fine as usual.

I saw something similar in proxmox-pve time ago that was fixed (I guess it was that "5 seconds" which do not respect the 30 seconds default)

(updated to latest Backup Server 1.1-12)

 

[Stoiko Ivanov]

This issue was tracked as https://bugzilla.proxmox.com/show_bug.cgi?id=3496 and should be fixed with proxmox-backup-server versions > 1.1-13 (or in the newer PBS 2.0).

proxmox-backup-server version 1.1-13 is currently available in the pbstest repository:
https://pbs.proxmox.com/docs/installation.html#proxmox-backup-test-repository

I hope this helps!

 

[Dexter23]

Hi

I have the same problem and i'm running pbs version 2.1-5

Any update for this issue?

 

[fabian]

please post the full log with the failure..

 

[Dexter23]

what is the path of the log file ?

 

[fabian]

just copy it from the task log..

 

[Dexter23]

Hi @fabian

this is the error:

 

[fabian]

please post the FULL log, not the last line..

 

[Dexter23]

Here

 

[fabian]

which plugin are you using? if you are using the standalone plugin, do you fulfill all the requirements (port 80 open to the public, domain requested resolves to public IP of system requesting the certificate)?

 

[Dexter23]

Plugin DNS Cloudflare

 

[fabian]

could you try increasing the validation delay - nvm, you don't even hit that. are you sure you filled out the plugin data fields correctly?

alternatively, if you use the non-staging directory visiting the order/authorization urls will give you more details about why the validation is failing (but beware of the lower rate-limits!)

 

[Dexter23]

Hi i try to increase the validation delay but nothing change, what is the url for more detail ?

 

[fabian]

the urls that are printed in the task log contain more details, but for the staging API they can only be retrieved using an ACME client. for the regular directory, they are world-readable via a normal HTTP request.

 

[Dexter23]

Ok so what can i use to troubleshoot?

 

[fabian]

check that your system is actually using the desired DNS plugin - the task log you posted doesn't show any of the expected output for that case. the standalone plugin doesn't honor the validation delay IIRC. if you use the regular non-staging directory, the URLs printed in the task log will probably contain all the required information

 

[Dexter23]

You are right

I change from http to DNS but i have now this error:

 

[fabian]

the message 'invalid domain' is the result of the CF plugin not being able to lookup the zone information.. so either something is wrong with the plugin config, or with the API settings on the cloud flare side..

 

[Dexter23]

I fix the problem

I edit the API Token in Cloudflare and remove the public ip of Proxmox Backup Server and now it works.

Thank you