Web UI ACME DNS challenge failed for sub-subdomain


New Member
Dec 21, 2020
I am using Proxmox Virtual Environment 6.3-3, and using a DuckDNS, for example xyz.duckdns.org.

I want to get a certificate from Let's Encrypt using the web UI of PVE. I am able to create an account and challenge plugin in Datacenter. However, errors occur when I want to order a new certificate in my node (assumed it is named as "pve01"), in System->Certificate, under ACME, I have added a DNS challenge and selected an account. I click "Order Certificates Now" and I got the following error:

Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxxx/yyyyyyyyyyyy

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/zzzzzzzzzzz'
The validation for pve01.xyz.duckdns.org is pending!
[Mon Dec 21 22:53:16 HKT 2020] Error extracting the domain.
[Mon Dec 21 22:53:16 HKT 2020] Error add txt for domain:_acme-challenge.pve01.xyz.duckdns.org
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup duckdns
pve01.xyz.duckdns.org' failed: exit code 1

It is ok if I only get the certificate for "xyz.duckdns.org" only, however, I may have "pve01", "pve02", etc.

Have I done something wrong or something unsupported?
the acme.sh plugin does not support subdomains like that directly (I think because duckdns doesn't). it might work if you use alias mode and use xyz.duckdns.org as alias domain?
I am not familiar with alias mode and not sure if it is suitable for me. I want to have valid certificates for pve01, pve02, etc, for other computers in the same "domain" xyz.duckdns.org to access.

I suspect that something is changed in the version of acme.sh used in PVE 6.3-3 too, but I cannot confirm. I have used acme.sh in other system and I am able to obtain certificates for, says, pve01.xyz.duckdns.org, pve02.xyz.duckdns.org, etc. As I remember, I played with PVE 6.2 a while ago, it works too.

Is there a way for me to fall back to old version acme.sh in Proxmox?
no. you can always use your own LE setup and skip the one provided by PVE though if you want..
Btw, not strictly related to subdomains, but I had some trouble initially requesting a cert using duckdns. The API mentions for using the API:


export DuckDNS_Token="<token>"

However, for the API Data when setting up the ACME DNS plugin on the WebUI, I had to use:


i.e. putting the token in quotes didn't work. After taking out the quotes it worked fine. Just in case anyone else has trouble.
  • Like
Reactions: Leprox43


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!