security/acme-client: ProxmoxVE automation exit code 0

[hpeter1994]

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [X] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [X] The title contains the plugin to which this issue belongs

Describe the bug acme-client fails with exit code 0 when trying to deploy certificates to proxmox.

If i try to manually run the command from shell with debug level 3, i get a "The deploy hook proxmoxve was not found." error

To Reproduce Steps to reproduce the behavior: Setup automation with Run Command "Upload certificate to Proxmox VE". Add newly created automation to the certificate that already issued. "Run automations" for the certificate in certificate list.

Expected behavior Certificate deploys without errors.

Relevant log files WebGUI error:

AcmeClient: AcmeClient: The shell command returned exit code '0': '/usr/local/sbin/acme.sh --deploy --syslog 9 --debug 3 --server 'letsencrypt' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/66d47f9152a648.34122327' --certpath '/var/etc/acme-client/certs/66d47f9152a648.34122327/cert.pem' --keypath '/var/etc/acme-client/keys/66d47f9152a648.34122327/private.key' --capath '/var/etc/acme-client/certs/66d47f9152a648.34122327/chain.pem' --fullchainpath '/var/etc/acme-client/certs/66d47f9152a648.34122327/fullchain.pem' --domain '*.home.mydomain.com' --deploy-hook proxmoxve'

Manual shell log:

root@opnsense:~ # /usr/local/sbin/acme.sh --deploy --syslog 9 --debug 3 --server 'letsencrypt' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/66d47f9152a648.34122327' --certpath '/var/etc/acme-client/certs/66d47f9152a648.34122327/cert.pem' --keypath '/var/etc/acme-client/keys/66d47f9152a648.34122327/private.key' --capath '/var/etc/acme-client/certs/66d47f9152a648.34122327/chain.pem' --fullchainpath '/var/etc/acme-client/certs/66d47f9152a648.34122327/fullchain.pem' --domain '.home.mydomain.com' --deploy-hook proxmoxve [Sat Sep 28 20:16:17 CEST 2024] _is_idn_d='.home.mydomain.com' [Sat Sep 28 20:16:17 CEST 2024] _idn_temp [Sat Sep 28 20:16:17 CEST 2024] _selectServer try snames='zerossl.com,zerossl' [Sat Sep 28 20:16:17 CEST 2024] _selectServer try snames='letsencrypt.org,letsencrypt' [Sat Sep 28 20:16:17 CEST 2024] _selectServer match letsencrypt [Sat Sep 28 20:16:17 CEST 2024] Selected server: https://acme-v02.api.letsencrypt.org/directory [Sat Sep 28 20:16:17 CEST 2024] readlink exists=0 [Sat Sep 28 20:16:17 CEST 2024] dirname exists=0 [Sat Sep 28 20:16:17 CEST 2024] Let's find the script directory. [Sat Sep 28 20:16:17 CEST 2024] SCRIPT='/usr/local/sbin/acme.sh' [Sat Sep 28 20:16:17 CEST 2024] _script='/usr/local/sbin/acme.sh' [Sat Sep 28 20:16:17 CEST 2024] _script_home='/usr/local/sbin' [Sat Sep 28 20:16:17 CEST 2024] Using config home: /var/etc/acme-client/home [Sat Sep 28 20:16:17 CEST 2024] ACCOUNT_CONF_PATH='/var/etc/acme-client/home/account.conf' [Sat Sep 28 20:16:17 CEST 2024] logger exists=0 [Sat Sep 28 20:16:17 CEST 2024] OK [Sat Sep 28 20:16:17 CEST 2024] 2:SYS_LOG='9' [Sat Sep 28 20:16:17 CEST 2024] LE_WORKING_DIR='/var/etc/acme-client/home' https://github.com/acmesh-official/acme.sh v3.0.8 [Sat Sep 28 20:16:17 CEST 2024] Using server: https://acme-v02.api.letsencrypt.org/directory [Sat Sep 28 20:16:17 CEST 2024] Running cmd: deploy [Sat Sep 28 20:16:17 CEST 2024] Using config home: /var/etc/acme-client/home [Sat Sep 28 20:16:17 CEST 2024] ACCOUNT_CONF_PATH='/var/etc/acme-client/home/account.conf' [Sat Sep 28 20:16:17 CEST 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Sat Sep 28 20:16:17 CEST 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Sat Sep 28 20:16:17 CEST 2024] _ACME_SERVER_PATH='directory' [Sat Sep 28 20:16:17 CEST 2024] CA_CONF='/var/etc/acme-client/home/ca/acme-v02.api.letsencrypt.org/directory/ca.conf' [Sat Sep 28 20:16:17 CEST 2024] DOMAIN_PATH='/var/etc/acme-client/cert-home/66d47f9152a648.34122327/.home.mydomain.com' [Sat Sep 28 20:16:17 CEST 2024] DOMAIN_CONF='/var/etc/acme-client/cert-home/66d47f9152a648.34122327/.home.mydomain.com/*.home.mydomain.com.conf' [Sat Sep 28 20:16:17 CEST 2024] OK [Sat Sep 28 20:16:17 CEST 2024] 25:Le_DeployHook='proxmoxve,' [Sat Sep 28 20:16:17 CEST 2024] The deploy hook proxmoxve was not found.

Environment

OPNsense 24.7.5-amd64 os-acme-client 4.5 acme.sh 3.0.8

[fraenki]

Steps to reproduce the behavior:

Please provide the logs for this.

If i try to manually run the command from shell with debug level 3, i get a "The deploy hook proxmoxve was not found." error

This is expected. You shouldn't do this. Running acme.sh from the command line is unsupported and may break your configuration.

[hpeter1994]

System log:

2024-09-30T20:20:11 opnsense AcmeClient: AcmeClient: The shell command returned exit code '0': '/usr/local/sbin/acme.sh --deploy --syslog 9 --debug 3 --server 'letsencrypt' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/66d47f9152a648.34122327' --certpath '/var/etc/acme-client/certs/66d47f9152a648.34122327/cert.pem' --keypath '/var/etc/acme-client/keys/66d47f9152a648.34122327/private.key' --capath '/var/etc/acme-client/certs/66d47f9152a648.34122327/chain.pem' --fullchainpath '/var/etc/acme-client/certs/66d47f9152a648.34122327/fullchain.pem' --domain '.home.mydomain.com' --deploy-hook proxmoxve' 2024-09-30T20:20:09 opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --deploy --syslog 9 --debug 3 --server 'letsencrypt' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/66d47f9152a648.34122327' --certpath '/var/etc/acme-client/certs/66d47f9152a648.34122327/cert.pem' --keypath '/var/etc/acme-client/keys/66d47f9152a648.34122327/private.key' --capath '/var/etc/acme-client/certs/66d47f9152a648.34122327/chain.pem' --fullchainpath '/var/etc/acme-client/certs/66d47f9152a648.34122327/fullchain.pem' --domain '.home.mydomain.com' --deploy-hook proxmoxve 2024-09-30T20:20:09 opnsense AcmeClient: running automation (acme.sh): Proxmox 2024-09-30T20:20:09 opnsense AcmeClient: running automations for certificate: *.home.mydomain.com

ACME Log (debug 3):

2024-09-30T20:20:11 acme.sh [Mon Sep 30 20:20:11 CEST 2024] Success 2024-09-30T20:20:11 acme.sh [Mon Sep 30 20:20:11 CEST 2024] _ret='0' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.APG2UcBudH -g --insecure ' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] wget exists=127 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] mktemp exists=0 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] curl exists=0 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] _postContentType='application/json' "certificates": "-----BEGIN CERTIFICATE-----\nMIIGHTCCBQWgAwIBAgISA5/KMNSlVS8Nx7IrLUAlUa10MA0GCSqGSIb3DQEBCwUA\nMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeX[SHORTENED] 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] body='{ 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] _post_url='https://proxmox.mgmt.home.mydomain.com:8006/api2/json/nodes/proxmox/certificates/custom' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] POST 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] Push certificates to server "certificates": "-----BEGIN CERTIFICATE-----\nMIIGHTCCBQWgAwIBAgISA5/KMNSlVS8Nx7IrLUAlUa10MA0GCSqGSIb3DQEBCwUA\nMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeX[SHORTENED] 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] Payload='{ 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] Auth Header='root@pam!acme=4218c0a9-xxxx-xxxx-xxxx-0ab4010xxxx0' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] DEPLOY_PROXMOXVE_API_TOKEN_KEY='4218c0a9-xxxx-xxxx-xxxx-0ab4010xxxx0' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] 32:SAVED_DEPLOY_PROXMOXVE_API_TOKEN_KEY='4218c0a9-xxxx-xxxx-xxxx-0ab4010xxxx0' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] OK 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] DEPLOY_PROXMOXVE_API_TOKEN_NAME='acme' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] 31:SAVED_DEPLOY_PROXMOXVE_API_TOKEN_NAME='acme' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] 31:SAVED_DEPLOY_PROXMOXVE_API_TOKEN_NAME='acme' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] OK 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] DEPLOY_PROXMOXVE_USER_REALM='pam' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] 30:SAVED_DEPLOY_PROXMOXVE_USER_REALM='pam' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] OK 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] DEPLOY_PROXMOXVE_USER='root' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] 29:SAVED_DEPLOY_PROXMOXVE_USER='root' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] OK 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] TARGET_URL='https://proxmox.mgmt.home.mydomain.com:8006/api2/json/nodes/proxmox/certificates/custom' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] DEPLOY_PROXMOXVE_NODE_NAME='proxmox' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] 28:SAVED_DEPLOY_PROXMOXVE_NODE_NAME='proxmox' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] OK 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] DEPLOY_PROXMOXVE_SERVER_PORT='8006' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] 27:SAVED_DEPLOY_PROXMOXVE_SERVER_PORT='8006' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] OK 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] DEPLOY_PROXMOXVE_SERVER='proxmox.mgmt.home.mydomain.com' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] 26:SAVED_DEPLOY_PROXMOXVE_SERVER='proxmox.mgmt.home.mydomain.com' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] OK 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] _cfullchain='/var/etc/acme-client/cert-home/66d47f9152a648.34122327/.home.mydomain.com/fullchain.cer' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] _cca='/var/etc/acme-client/cert-home/66d47f9152a648.34122327/.home.mydomain.com/ca.cer' 2024-09-30T20:20:10 acme.sh [Mon Sep 30 20:20:10 CEST 2024] _ccert='/var/etc/acme-client/cert-home/66d47f9152a648.34122327/.home.mydomain.com/.home.mydomain.com.cer' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] _ckey='/var/etc/acme-client/cert-home/66d47f9152a648.34122327/.home.mydomain.com/.home.mydomain.com.key' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] _cdomain='.home.mydomain.com' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] proxmoxve_deploy exists=0 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] _deployApi='/usr/local/share/examples/acme.sh/deploy/proxmoxve.sh' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] 25:Le_DeployHook='proxmoxve,' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] OK 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] DOMAIN_CONF='/var/etc/acme-client/cert-home/66d47f9152a648.34122327/.home.mydomain.com/.home.mydomain.com.conf' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] DOMAIN_PATH='/var/etc/acme-client/cert-home/66d47f9152a648.34122327/.home.mydomain.com' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] CA_CONF='/var/etc/acme-client/home/ca/acme-v02.api.letsencrypt.org/directory/ca.conf' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] _ACME_SERVER_PATH='directory' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] ACCOUNT_CONF_PATH='/var/etc/acme-client/home/account.conf' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] Using config home: /var/etc/acme-client/home 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] Running cmd: deploy 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] Using server: https://acme-v02.api.letsencrypt.org/directory 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] LE_WORKING_DIR='/var/etc/acme-client/home' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] 2:SYS_LOG='9' 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] OK 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] logger exists=0 2024-09-30T20:20:09 acme.sh [Mon Sep 30 20:20:09 CEST 2024] ACCOUNT_CONF_PATH='/var/etc/acme-client/home/account.conf'

Okay, seems like i managed to jump the gun with the bug report. I got an exit code 0, and assumed an error (other automations do not return anything, so thats what was misleading me.). There were no usable log messages so i went to try it out in console. (Should not have done that by the looks of it) and got an error that lead me down a rabbit hole.

Althougt i could have swore it did not work yesterday, today it copied the cert without issues. Closing the issue.

[fraenki]

Thanks for providing feedback.