Hi all,
Edit: the 'not deploying' bit turns out to be a known problem , to be fixed upstream
I am in the process of supplying hosts on the LAN with Letsencrypt certificates.
I found the ACME plugins in datacenter and node, and an option to manually upload a certificate via the Web GUI or replace it on the filesystem at
My domains are served by Hurricane Electric (dns.he.net); they don't have API access via tokens yet. The DNS challenge still works when storing the credentials for the HE account, but I preferred not to put those credentials on all hosts.
For OPNsense I already had the HE-account configured for DNS validation. It turns out that OPNsense has a relatively recent addition to the automations (upload certificate to to Proxmox VE ), via acme.sh (where it was added earlier).
I am not successful in uploading the certificate though.
At first I created a pve-realm user with only permission to the Sys.Modify role. For that user I created an API token with privilege separation, and set the Sys.Modify role for the token as well.
After poking around a bit, I created a token without privilege separation foor root, without better result.
Finally I set environment variables as mentioned in the acme.sh wiki on OPNsense's CLI, and tried to manually call acme.sh
It tells me that my host.domain.tld is not a certificate name that can be found in that directory (ie, /root).
The OPNsense GUI only gives me sparse information in its log:
I'm not familiar enough with BSD to find further logging.
On the Proxmox side, I don't know where to expect logging for this task; /var/log has an empty acme.sh.log; in system/lastlog and userlog, there was tothing related to acme.sh. For the corresponding timestamp there is no entry in /var/log/auth.log, /var/log/pveproxy/access.log, /var/log/pveam.log or /var/log/syslog.
Any idea how to troubleshoot this furter, or point me to obvious beginner mistakes?
Edit: there seems to be an issue with the script, to be solved in the next release of acme.sh
Edit: the 'not deploying' bit turns out to be a known problem , to be fixed upstream
I am in the process of supplying hosts on the LAN with Letsencrypt certificates.
I found the ACME plugins in datacenter and node, and an option to manually upload a certificate via the Web GUI or replace it on the filesystem at
/etc/pve/local/pveproxy-ssl.pem (and .key)My domains are served by Hurricane Electric (dns.he.net); they don't have API access via tokens yet. The DNS challenge still works when storing the credentials for the HE account, but I preferred not to put those credentials on all hosts.
For OPNsense I already had the HE-account configured for DNS validation. It turns out that OPNsense has a relatively recent addition to the automations (upload certificate to to Proxmox VE ), via acme.sh (where it was added earlier).
I am not successful in uploading the certificate though.
At first I created a pve-realm user with only permission to the Sys.Modify role. For that user I created an API token with privilege separation, and set the Sys.Modify role for the token as well.
After poking around a bit, I created a token without privilege separation foor root, without better result.
Finally I set environment variables as mentioned in the acme.sh wiki on OPNsense's CLI, and tried to manually call acme.sh
acme.sh --deploy -d host.domain.tld --deploy-hook proxmoxve
It tells me that my host.domain.tld is not a certificate name that can be found in that directory (ie, /root).
The OPNsense GUI only gives me sparse information in its log:
| 2023-12-30T17:51:41 | opnsense | AcmeClient: running acme.sh deploy hook failed (acme_proxmoxve) |
| 2023-12-30T17:51:41 | opnsense | AcmeClient: running automation (acme.sh): cert_upload_pve |
| 2023-12-30T17:51:41 | opnsense | AcmeClient: running automations for certificate: server.domain.tld |
I'm not familiar enough with BSD to find further logging.
On the Proxmox side, I don't know where to expect logging for this task; /var/log has an empty acme.sh.log; in system/lastlog and userlog, there was tothing related to acme.sh. For the corresponding timestamp there is no entry in /var/log/auth.log, /var/log/pveproxy/access.log, /var/log/pveam.log or /var/log/syslog.
Any idea how to troubleshoot this furter, or point me to obvious beginner mistakes?
Edit: there seems to be an issue with the script, to be solved in the next release of acme.sh
Last edited: