I'm trying to copy a letsencrypt cert fetched from OPNSense over to Proxmox. I am doing it using the automations in the acme client plugin.
I set one up, ensured all values are correct, and tried running it.
I see in the logs page
2024-05-06T00:25:02-04:00 opnsense AcmeClient: running automations for certificate: example.com
2024-05-06T00:22:18-04:00 opnsense AcmeClient: running acme.sh deploy hook failed (acme_proxmoxve)
2024-05-06T00:22:18-04:00 opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --deploy --syslog 6 --log-level 1 --server 'letsencrypt' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/5c1886fae0f214.11
When I try to run the command manually, as below, I get the error.
# /usr/local/sbin/acme.sh --deploy --syslog 6 --log-level 1 --server 'letsencrypt' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/5c1886fae0f214.11888858' --certpath '/var/etc/acme-client/certs/5c1886fae0f214.11888858/cert.pem' --keypath '/var/etc/acme-client/keys/5c1886fae0f214.11888858/private.key' --capath '/var/etc/acme-client/certs/5c1886fae0f214.11888858/chain.pem' --fullchainpath '/var/etc/acme-client/certs/5c1886fae0f214.11888858/fullchain.pem' --domain 'cclloyd.com' --deploy-hook proxmoxve
[Mon May 6 00:58:28 EDT 2024] The deploy hook acme_proxmoxve is not found.
(exit 1)
Trying to run it with `--deploy-hook acme_proxmox_ve` also failed.
I'm running OPNSense 24.1.6 and os-acme-client 4.2
Did you write a shell function named acme_proxmoxve and place it in the hooks file?
I have the same problem. I believe this is a bug that will be fixed in the next version of the Acme client:
https://github.com/opnsense/plugins/issues/3613 (https://github.com/opnsense/plugins/issues/3613)
I also have the same problem. For me, the plugin causes a crash, both when deploying the LE certificate to DSM and to Proxmox.
@julsssark: But the post is from December 2023 ::) I still hope that the problem will be fixed. Because automation would be a wonderful thing so that you don't have to worry about the LE certificate in all hosts.
I've been watching the Acme github:
https://github.com/acmesh-official/acme.sh (https://github.com/acmesh-official/acme.sh)
I don't know that project well, but they seem to push out an update every 7 months or so.
My automation to DSM works correctly. I am using the built-in "Upload certificate to Synology DSM action" with HTTPS and a Let's Encrypt certificate.
Hello julsssark.
Can you give me some hints for a working configuration? I got a crash in Opnsense, when I run the automation. I also use the "Upload certificate to Synology DSM action".
Do ypu have also a special port for https (not 5001)?
What version of DSM du you have?
What version of Opnsense oder ACME Plugin?
Update: Is it possible to run ONLY automation or works it only in combination of update certificate?
Thanks a lot for helping me. ;)
Ronny
Hi Roony.
I am running a pretty standard configuration: using port 5001 with HTTPS, running DSM 7.2.1-69057 Update 5, OPNsense 24.1.8-amd64 and os-acme-client 4.3. The certificate last updated automatically on 04/21/24 and I confirmed that the NAS is using the updated certificate. I just ran the automation manually and the logs are showing a successful completion (exit code 0 in the system log and success in the acme log).
Hello julssark.
Thank you for your support. I use another port for DSM and at activation of the automation I got a crash report in Opnsense. :-\
There's another way to do this. You can use the os-caddy plugin and reverse proxy the http-01 challenge with it.
Since proxmox can get Let's Encrypt with http-01 challenge directly this is the least "hacky" way.
https://pve.proxmox.com/wiki/Certificate_Management
https://docs.opnsense.org/manual/how-tos/caddy.html#redirect-acme-http-01-challenge
(Creating the handler is optional here, if you dont want to expose the Proxmox Webgui via reverse proxy, just the domain in that example configuration is enough to proxy the challenge)
Thank you Monviech. I looked a little more intensiv in the crash report. It is a PHP error, which is diccussed on GitHub. Some line should be changed manuelly. I think I waiting for the fix of acme plugin.
Have a nice weekend.
Ronny