ACME Client gives error that deploy hooks are missing

[gogolathome]

When I run the automation commands in the shell I get some more output.
I tried to install certificates on proxmox and synology and on both occasions I get the error of missing deploy hooks. I replaced my domain with example.com and zero-ed the certificate numbers to protect my privacy

Code: [Select]

root@opnsense:~ # /usr/local/sbin/acme.sh --deploy --syslog 7 --debug --server 'letsencrypt' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/00000.00000/cert.pem' --keypath '/var/etc/acme-client/keys/00000.00000/private.key' --capath '/var/etc/acme-client/certs/00000.00000/chain.pem' --fullchainpath '/var/etc/acme-client/certs/00000.00000/fullchain.pem' --domain 'example.com' --deploy-hook synology_dsm
[Thu Aug 31 19:12:40 CEST 2023] Selected server: https://acme-v02.api.letsencrypt.org/directory
[Thu Aug 31 19:12:40 CEST 2023] Lets find script dir.
[Thu Aug 31 19:12:40 CEST 2023] _SCRIPT_='/usr/local/sbin/acme.sh'
[Thu Aug 31 19:12:41 CEST 2023] _script='/usr/local/sbin/acme.sh'
[Thu Aug 31 19:12:41 CEST 2023] _script_home='/usr/local/sbin'
[Thu Aug 31 19:12:41 CEST 2023] Using config home:/var/etc/acme-client/home
https://github.com/acmesh-official/acme.sh
v3.0.6
[Thu Aug 31 19:12:41 CEST 2023] Using server: https://acme-v02.api.letsencrypt.org/directory
[Thu Aug 31 19:12:41 CEST 2023] Running cmd: deploy
[Thu Aug 31 19:12:41 CEST 2023] Using config home:/var/etc/acme-client/home
[Thu Aug 31 19:12:41 CEST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Thu Aug 31 19:12:41 CEST 2023] DOMAIN_PATH='/var/etc/acme-client/home/example.com'
[Thu Aug 31 19:12:41 CEST 2023] The deploy hook synology_dsm is not found.
Could there be something missing in the acme client plugin installation or is it an error on the letsencrypt servers?

[longshot338]

I am having the same issue.  Regardless of whether I use the acme.sh plug-in GUI or command line, I get a failure.  Command line at least tells me that synology_dsm.sh doesn't exist... which it does.  Acme.sh just doesn't seem to know where to look.

[longshot338]

gogolathome and I are the only two people having this problem??  Seems difficult to believe....

[cookiemonster]

Code: [Select]

root@OPNsense:/home/penguin # find / -name 'synology*'
/usr/local/share/examples/acme.sh/deploy/synology_dsm.sh

[longshot338]

Thanks for the info, cookiemonster, but how do we get acme.sh to look there for the file(s)?  I tried using the full path in my command line use of acme.sh, but that didn't work either.  I would really like to set-up everything in the GUI, and allow the triggers to execute things without me having to manually intervene.

[cookiemonster]

My guess is that needs looking up in the acme documentation outside OPN. The GUI would take care of it when using the ACME Client > Automations and then "Upload certificate to Synology DSM" from the drop-down.
I don't use it. Went to see the options on that dropdown and figured if that entry shows there, there should be something in the system, then used find.

[cookiemonster]

https://github.com/acmesh-official/acme.sh/wiki/deployhooks#20-deploy-the-certificate-to-synology-dsm
Hope it helps.

[longshot338]

Thank you, again!  I'll dig through this and give it a shot.  It seems like it is being more difficult than it should be.

[cookiemonster]

that info is for if you wanted to run the command from the shell as per OP.
These or at least some of these hooks are there in the UI, the automations tab.

[ftrojahn]

Thanks for the info, cookiemonster, but how do we get acme.sh to look there for the file(s)?  I tried using the full path in my command line use of acme.sh, but that didn't work either.  I would really like to set-up everything in the GUI, and allow the triggers to execute things without me having to manually intervene.

I have a similar problem: acme with dns and dns-alias seems not to work in Proxmox itself, but in OPNsense.
So I tried to deploy from OPNsense to Proxmox, too, and found this thread.

What I have found:

• we need to copy the deploy dir from examples to the acme-client home:

Code: [Select]

cp -a /usr/local/share/examples/acme.sh/deploy /var/etc/acme-client/home/


• since my PVE node has a self signed cert, the automation fails with:

Code: [Select]

=> Send SSL data, 5 bytes (0x5)
0000: .....
== Info: TLSv1.3 (OUT), TLS alert, unknown CA (560):
=> Send SSL data, 2 bytes (0x2)
0000: .0
== Info: SSL certificate problem: unable to get local issuer certificate
== Info: Closing connection

which means: curl must not check the certificate of the node. To achieve this, I found no other way
than edit acme.sh and add:

Code: [Select]

HTTPS_INSECURE=1

Now, when starting the automation - the GUI says successful. But ... cert wasn't imported, in the pveproxy/access.log
I only see:
"POST /api2/json/nodes/proxhost/certificates/custom HTTP/1.1" 401 -

My api token has the the sys.modify right ... but maybe this is not sufficient. Tried with both pveversion 7.4 and 8.0.4

Did anyone get this to work?

[36thchamber]

need to raise another ticket:
https://github.com/opnsense/plugins/issues/2889
https://github.com/opnsense/plugins/issues/3006
pretty pointless to push certificate when it doesn't exist yet.

perhaps use --insecure parameter to make it propagate everywhere.

also reverse proxy can be set up to tackle this bug.

[FlutteryChicken]

My api token has the the sys.modify right ... but maybe this is not sufficient. Tried with both pveversion 7.4 and 8.0.4

Did anyone get this to work?

I've just gotten this to work with proxmox 7.4, there is a fix in the acme repo but there hasn't been a release since  it went in.

I made the change as seen in this commit https://github.com/acmesh-official/acme.sh/commit/00dbc3881fa377646115a237bb12193f13504973

I didn't copy the files from the example directory.
I update the file "/usr/local/share/examples/acme.sh/deploy/proxmoxve.sh"
with only the change on line 128 and then ran my automations again for the certificate.

So on line 128 instead of having "export _HTTPS_INSECURE=1" I have "export HTTPS_INSECURE=1"