Proxmox certificates with letsencrypt

qx8edpjh · June 11, 2025, 2:02pm

Hi,
Anyone knows whats the API data to use in the proxmox acme configuration to validate domaisn with desec?
Thanks.

KapernMagIchNicht · June 12, 2025, 6:00am

Not sure what you try to achieve, but this is Proxmox related and not deSEC.

https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_certs_get_trusted_acme_cert

deSEC has nothing to do with it, besides that you need some entries for either the http or dns challenge form letsencrypt.

Keep in mind that you don’t necessary need official letsencrypt certs.
You could also use self signed certs instead. IMHO easier.

qx8edpjh · June 12, 2025, 9:08am

No a very useful reply above. There’s many reasons why using self signed is a bad idea.
Anyway, for future reference, it seems to work if you simply add DEDYN_TOKEN=“token from desec” to the APi dialog.

KapernMagIchNicht · June 12, 2025, 9:47am

sorry, totally misunderstood what you are trying to achieve. Glad it works.

kaik · November 16, 2025, 8:00pm

Trying to acquire a certificate for my pve (local) instance. Because of that I’m using the DNS challenge. But the process continues to fail:

Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/2737024881/449346687196

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz/2737024881/613876603776'
The validation for pve.klesatschke.net is pending!
[Sun Nov 16 20:54:45 CET 2025] Using desec.io api
[Sun Nov 16 20:54:46 CET 2025] Adding record
[Sun Nov 16 20:54:46 CET 2025] Added, OK
Add TXT record: _acme-challenge.pve.klesatschke.net
Sleeping 30 seconds to wait for TXT record propagation
Triggering validation
Sleeping for 5 seconds
[Sun Nov 16 20:55:23 CET 2025] Using desec.io api
[Sun Nov 16 20:55:23 CET 2025] Deleting record
[Sun Nov 16 20:55:24 CET 2025] Deleted, OK
Remove TXT record: _acme-challenge.pve.klesatschke.net
TASK ERROR: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz/2737024881/613876603776' failed - status: invalid

letsencrypt states “No TXT record found at _acme-challenge.pve.klesatschke.net” but during the 30 seconds sleep I was able to see the record in the deSEC admin UI.

Same happens running certbot on one of the guests.

Any one an idea what goes wrong?

Bruce5051 · November 16, 2025, 9:20pm

Sometimes I have to have significantly longer than a 30 second wait, I’ve on occasions have had to wait 300 seconds.

KapernMagIchNicht · November 17, 2025, 7:44am

Hi kaik, I have had the same issue. The “problem” is that the ACME implementation of Proxmox does not indefinitely tries to do it every 30 seconds, but once and then gives up.

My guess would be that just because you saw it on desec, does not mean it was propagated to whatever DNS letsencrypt uses.

Since there is no time pressure, simply set validation delay to 300 seconds and you are good.