acme.sh
acme.sh copied to clipboard
acmesh-official
deploy an certificate to Proxmox doesn't work
Steps to reproduce
Try to deploy a certificate to a proxmox host other services like fritzbox or truenas are running fine
Debug log
| 2023-10-10T17:47:57 | opnsense | AcmeClient: running acme.sh deploy hook failed (acme_proxmoxve) |
|---|---|---|
| 2023-10-10T17:47:57 | opnsense | AcmeClient: cleared recorded deploy deploy hook from acme.sh (/var/etc/acme-client/home/PVE.mydomain.de/PVE.mydomain.de.conf) |
| 2023-10-10T17:47:55 | opnsense | AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --deploy --syslog 7 --debug --server 'letsencrypt' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/certpath/cert.pem' --keypath '/var/etc/acme-client/keys/6certpath/private.key' --capath '/var/etc/acme-client/certs/certpath/chain.pem' --fullchainpath '/var/etc/acme-client/certs/certpath/fullchain.pem' --domain 'PVE.mydomain.de' --deploy-hook proxmoxve |
| 2023-10-10T17:47:55 | opnsense | AcmeClient: running automation (acme.sh): Proxmox cert update |
| 2023-10-10T17:47:54 | opnsense | AcmeClient: running automations for certificate: PVE.mydomain.de |
| 2023-10-10T17:47:16 | opnsense | AcmeClient: running acme.sh deploy hook failed (acme_proxmoxve) |
| 2023-10-10T17:47:16 | opnsense | AcmeClient: cleared recorded deploy deploy hook from acme.sh (/var/etc/acme-client/home/PVE.mydomain.de/PVE.mydomain.de.conf) |
| 2023-10-10T17:47:14 | opnsense | AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --deploy --syslog 7 --debug --server 'letsencrypt' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/certpath/cert.pem' --keypath '/var/etc/acme-client/keys/certpath/private.key' --capath '/var/etc/acme-client/certs/certpath/chain.pem' --fullchainpath '/var/etc/acme-client/certs/certpath/fullchain.pem' --domain 'PVE.mydomain.de' --deploy-hook proxmoxve |
| 2023-10-10T17:47:14 | opnsense | AcmeClient: running automation (acme.sh): Proxmox cert update |
| 2023-10-10T17:47:13 | opnsense | AcmeClient: running automations for certificate: PVE.mydomain.de |
| 2023-10-10T17:49:16 | acme.sh | [Tue Oct 10 17:49:16 CEST 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L -g --connect-timeout 10' |
|---|---|---|
| 2023-10-10T17:49:16 | acme.sh | [Tue Oct 10 17:49:16 CEST 2023] timeout=10 |
| 2023-10-10T17:49:16 | acme.sh | [Tue Oct 10 17:49:16 CEST 2023] url='https://dns.google' |
| 2023-10-10T17:49:16 | acme.sh | [Tue Oct 10 17:49:16 CEST 2023] GET |
| 2023-10-10T17:49:16 | acme.sh | [Tue Oct 10 17:49:16 CEST 2023] ret='28' |
| 2023-10-10T17:49:16 | acme.sh | [Tue Oct 10 17:49:15 CEST 2023] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28 |
| 2023-10-10T17:49:05 | acme.sh | [Tue Oct 10 17:49:05 CEST 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L -g --connect-timeout 10' |
| 2023-10-10T17:49:05 | acme.sh | [Tue Oct 10 17:49:05 CEST 2023] timeout=10 |
| 2023-10-10T17:49:05 | acme.sh | [Tue Oct 10 17:49:05 CEST 2023] url='https://cloudflare-dns.com' |
| 2023-10-10T17:49:05 | acme.sh | [Tue Oct 10 17:49:05 CEST 2023] GET |
| 2023-10-10T17:49:05 | acme.sh | [Tue Oct 10 17:49:05 CEST 2023] Detect dns server first. |
| 2023-10-10T17:49:05 | acme.sh | [Tue Oct 10 17:49:05 CEST 2023] No doh |
| 2023-10-10T17:49:05 | acme.sh | [Tue Oct 10 17:49:05 CEST 2023] ret='28' |
| 2023-10-10T17:49:05 | acme.sh | [Tue Oct 10 17:49:05 CEST 2023] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28 |
Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello @Stephan-4711
I was able to reproduce / find a similar issue.
Please check the following:
- The generated PVE API token must have the
sys.modifyprivilege. I had to create a role for that. And assign it to the Token. - The current PVE certificate must be trusted by OPNSense. I had to copy the certificate manually once to make that work. Perhaps this is a bug in acme.sh 3.0.7 as certificate verification should be switched off (from what I read in the sources).
- You can see acme.sh logs in OPNSense when setting the Log Level in
Services > ACME Client > Settingstodebug 2. The logs will appear inSystem > Log Files > Generalon LevelNotice. If there is something cURL Error 60 related, the problem is certificate verification. - Certificate verification skipping could have been fixed by https://github.com/acmesh-official/acme.sh/commit/00dbc3881fa377646115a237bb12193f13504973. Sadly this commit has not yet made it into a release. Would it be an option to do a new release, @Neilpang ?
Also from reading your logs, it could be that your Internet connection is blocked (error code 28 is timeout).
Hi, random user originating from a google search. I believe I am definitely hitting this bug by trying to use the Proxmox VE acme plugin in OPNsense.
A new release would be nice.
