[step-ca] Internal Server Error using ACME

[Phenix66]

✅ Have you read and understood the above guidelines?

yes

🔎 Did you run the script with verbose mode enabled?

Yes, verbose mode was enabled and the output is included below

📜 What is the name of the script you are using?

step-ca

📂 What was the exact command used to execute the script?

bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/step-ca.sh)"

⚙️ What settings are you using?

• Default Settings
• Advanced Settings

🖥️ Which Linux distribution are you using?

Debian 13

🧱 Is this Proxmox host running arm64?

No

📈 Which Proxmox version are you on?

pve-manager/9.2.2/b9984c6d90a4bd80 (running kernel: 7.0.2-6-pve)

📝 Provide a clear and concise description of the issue.

When an ACME client attempts to order certificates, the server throws an error error applying certificate template: cannot unmarshal array at offset 2 into Go value of type string"

🔄 Steps to reproduce the issue.

1. Install step-ca using the script
   1. I used Advanced Mode only because I need to assign a VLAN
   2. For the prompts from step-ca-install.sh, I accepted the defaults except for Country (set to US) and ACME provisioner name (set to acme)
2. Configure the Proxmox server to use step-ca as the default ACME account

   pvenode acme account register default pki@$(hostname -d) --directory https://<ip address of step-ca lxc>/acme/acme/directory
   

3. Add your domains for Proxmox (node -> System -> Certificates)
4. Click "Order Certificates Now"

I did not customize step-ca in any way after installation. I believe this to be an issue with the install script due to the nature of the error message referencing a templating issue and the step-ca-install.sh script installing some additional template files.

❌ Paste the full error output (if available).

Proxmox order certificate output (IP addresses redacted):

Loading ACME account details
Placing ACME order
Order URL: https://STEP-CA-IP-ADDRESS/acme/acme/order/9hmQaifWupFMzPjNNE88mmuPNIkBocrF

Getting authorization details from 'https://STEP-CA-IP-ADDRESS/acme/acme/authz/FYVqjaoROnjFnLReeXJickunxlv6kjKW'
The validation for proxmox.internal is pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds
Status is 'valid', domain 'proxmox.internal' OK!

All domains validated!

Creating CSR
Checking order status
Order is ready, finalizing order
TASK ERROR: Error: POST to https://STEP-CA-IP-ADDRESS/acme/acme/order/9hmQaifWupFMzPjNNE88mmuPNIkBocrF/finalize {"type":"urn:ietf:params:acme:error:serverInternal","detail":"The server experienced an internal error"} 

step-ca logs (IP addresses redacted):

May 30 10:24:45 step-ca step-ca[6598]: time="2026-05-30T10:24:45-04:00" level=info duration="31.03µs" duration-ns=31030 fields.time="2026-05-30T10:24:45-04:00" method=GET name=ca path=/acme/acme/directory protocol=HTTP/1.1 referer= remote-address=PROXMOX-IP-ADDRESS request-id=f00a34d4-8fca-4141-9274-887a01825875 response="{\"newNonce\":\"https://STEP-CA-IP-ADDRESS/acme/acme/new-nonce\",\"newAccount\":\"https://STEP-CA-IP-ADDRESS/acme/acme/new-account\",\"newOrder\":\"https://STEP-CA-IP-ADDRESS/acme/acme/new-order\",\"revokeCert\":\"https://STEP-CA-IP-ADDRESS/acme/acme/revoke-cert\",\"keyChange\":\"https://STEP-CA-IP-ADDRESS/acme/acme/key-change\"}" size=282 status=200 user-agent=pve-acme/0.1 user-id=
May 30 10:24:45 step-ca step-ca[6598]: time="2026-05-30T10:24:45-04:00" level=info duration=5.370739ms duration-ns=5370739 fields.time="2026-05-30T10:24:45-04:00" method=GET name=ca nonce=MEFrTnYwZzU0Q01uVWNUSFlmc2hkQjRGN0NoYTE2Ukw path=/acme/acme/new-nonce protocol=HTTP/1.1 referer= remote-address=PROXMOX-IP-ADDRESS request-id=8cd60589-3aa7-404d-bfa5-9a6b3ebe7054 size=0 status=204 user-agent=pve-acme/0.1 user-id=
May 30 10:24:45 step-ca step-ca[6598]: time="2026-05-30T10:24:45-04:00" level=info duration=46.514895ms duration-ns=46514895 fields.time="2026-05-30T10:24:45-04:00" method=POST name=ca nonce=bzlVZ3lPdExRc2lwOXc1cEhlSVU5TDV0RGNhaGViSHQ path=/acme/acme/new-order protocol=HTTP/1.1 referer= remote-address=PROXMOX-IP-ADDRESS request-id=0801b15a-2d36-40ae-bfe1-76ba8be9a924 response="{\"id\":\"9hmQaifWupFMzPjNNE88mmuPNIkBocrF\",\"status\":\"pending\",\"expires\":\"2026-05-31T14:24:45Z\",\"identifiers\":[{\"type\":\"dns\",\"value\":\"proxmox.internal\"}],\"notBefore\":\"2026-05-30T14:23:45Z\",\"notAfter\":\"2026-06-06T14:24:45Z\",\"authorizations\":[\"https://STEP-CA-IP-ADDRESS/acme/acme/authz/FYVqjaoROnjFnLReeXJickunxlv6kjKW\"],\"finalize\":\"https://STEP-CA-IP-ADDRESS/acme/acme/order/9hmQaifWupFMzPjNNE88mmuPNIkBocrF/finalize\"}" size=404 status=201 user-agent=pve-acme/0.1 user-id=
May 30 10:24:45 step-ca step-ca[6598]: time="2026-05-30T10:24:45-04:00" level=info duration=12.060326ms duration-ns=12060326 fields.time="2026-05-30T10:24:45-04:00" method=POST name=ca nonce=QXVsU1NOVjZEbWQwVzFGMUdFaEtuU2FMbHo4WUdic3o path=/acme/acme/authz/FYVqjaoROnjFnLReeXJickunxlv6kjKW protocol=HTTP/1.1 referer= remote-address=PROXMOX-IP-ADDRESS request-id=d94abb51-0aa9-45f4-811d-0a8023887c76 response="{\"identifier\":{\"type\":\"dns\",\"value\":\"proxmox.internal\"},\"status\":\"pending\",\"challenges\":[{\"type\":\"dns-01\",\"status\":\"pending\",\"token\":\"zEv40lvivvBqO1FtAQjojqEvrGkdw5PU\",\"url\":\"https://STEP-CA-IP-ADDRESS/acme/acme/challenge/FYVqjaoROnjFnLReeXJickunxlv6kjKW/XxXYCYP6xSK1ZBw6YYXrlWq9g63ngKu4\"},{\"type\":\"http-01\",\"status\":\"pending\",\"token\":\"zEv40lvivvBqO1FtAQjojqEvrGkdw5PU\",\"url\":\"https://STEP-CA-IP-ADDRESS/acme/acme/challenge/FYVqjaoROnjFnLReeXJickunxlv6kjKW/MRyfT0kYnl9UEUeytDlAOI3pVbnFE2Ss\"},{\"type\":\"tls-alpn-01\",\"status\":\"pending\",\"token\":\"zEv40lvivvBqO1FtAQjojqEvrGkdw5PU\",\"url\":\"https://STEP-CA-IP-ADDRESS/acme/acme/challenge/FYVqjaoROnjFnLReeXJickunxlv6kjKW/cDERnUZyV14dhPHQv9UrGA3t34mIHlji\"}],\"wildcard\":false,\"expires\":\"2026-05-31T14:24:45Z\"}" size=732 status=200 user-agent=pve-acme/0.1 user-id=
May 30 10:24:46 step-ca step-ca[6598]: time="2026-05-30T10:24:46-04:00" level=info duration=19.788956ms duration-ns=19788956 fields.time="2026-05-30T10:24:45-04:00" method=POST name=ca nonce=WHVNYkdQbFQ0T0xQRjhXMWJlbkcxYXR6dGtWYkhNMVU path=/acme/acme/challenge/FYVqjaoROnjFnLReeXJickunxlv6kjKW/MRyfT0kYnl9UEUeytDlAOI3pVbnFE2Ss protocol=HTTP/1.1 referer= remote-address=PROXMOX-IP-ADDRESS request-id=db459b28-7877-4ceb-a2db-da395ef0dd3a response="{\"type\":\"http-01\",\"status\":\"valid\",\"token\":\"zEv40lvivvBqO1FtAQjojqEvrGkdw5PU\",\"validated\":\"2026-05-30T14:24:46Z\",\"url\":\"https://STEP-CA-IP-ADDRESS/acme/acme/challenge/FYVqjaoROnjFnLReeXJickunxlv6kjKW/MRyfT0kYnl9UEUeytDlAOI3pVbnFE2Ss\"}" size=229 status=200 user-agent=pve-acme/0.1 user-id=
May 30 10:24:51 step-ca step-ca[6598]: time="2026-05-30T10:24:51-04:00" level=info duration=23.099047ms duration-ns=23099047 fields.time="2026-05-30T10:24:51-04:00" method=POST name=ca nonce=UU1wOHQ2QmRzVnh5ZEs1MTNJNDhvOTRCRkRVRklPQ1g path=/acme/acme/authz/FYVqjaoROnjFnLReeXJickunxlv6kjKW protocol=HTTP/1.1 referer= remote-address=PROXMOX-IP-ADDRESS request-id=e1de5aa9-adba-4e41-8e01-9a5ae67530ca response="{\"identifier\":{\"type\":\"dns\",\"value\":\"proxmox.internal\"},\"status\":\"valid\",\"challenges\":[{\"type\":\"dns-01\",\"status\":\"pending\",\"token\":\"zEv40lvivvBqO1FtAQjojqEvrGkdw5PU\",\"url\":\"https://STEP-CA-IP-ADDRESS/acme/acme/challenge/FYVqjaoROnjFnLReeXJickunxlv6kjKW/XxXYCYP6xSK1ZBw6YYXrlWq9g63ngKu4\"},{\"type\":\"http-01\",\"status\":\"valid\",\"token\":\"zEv40lvivvBqO1FtAQjojqEvrGkdw5PU\",\"validated\":\"2026-05-30T14:24:46Z\",\"url\":\"https://STEP-CA-IP-ADDRESS/acme/acme/challenge/FYVqjaoROnjFnLReeXJickunxlv6kjKW/MRyfT0kYnl9UEUeytDlAOI3pVbnFE2Ss\"},{\"type\":\"tls-alpn-01\",\"status\":\"pending\",\"token\":\"zEv40lvivvBqO1FtAQjojqEvrGkdw5PU\",\"url\":\"https://STEP-CA-IP-ADDRESS/acme/acme/challenge/FYVqjaoROnjFnLReeXJickunxlv6kjKW/cDERnUZyV14dhPHQv9UrGA3t34mIHlji\"}],\"wildcard\":false,\"expires\":\"2026-05-31T14:24:45Z\"}" size=763 status=200 user-agent=pve-acme/0.1 user-id=
May 30 10:24:51 step-ca step-ca[6598]: time="2026-05-30T10:24:51-04:00" level=info duration=21.515986ms duration-ns=21515986 fields.time="2026-05-30T10:24:51-04:00" method=POST name=ca nonce=MFl1RDd5SFpEaTFJQXNWRnZ1M2cwc1dzT1NiSGJ5VUI path=/acme/acme/order/9hmQaifWupFMzPjNNE88mmuPNIkBocrF protocol=HTTP/1.1 referer= remote-address=PROXMOX-IP-ADDRESS request-id=839efbcf-785f-408b-ae23-b13456f4d53e response="{\"id\":\"9hmQaifWupFMzPjNNE88mmuPNIkBocrF\",\"status\":\"ready\",\"expires\":\"2026-05-31T14:24:45Z\",\"identifiers\":[{\"type\":\"dns\",\"value\":\"proxmox.internal\"}],\"notBefore\":\"2026-05-30T14:23:45Z\",\"notAfter\":\"2026-06-06T14:24:45Z\",\"authorizations\":[\"https://STEP-CA-IP-ADDRESS/acme/acme/authz/FYVqjaoROnjFnLReeXJickunxlv6kjKW\"],\"finalize\":\"https://STEP-CA-IP-ADDRESS/acme/acme/order/9hmQaifWupFMzPjNNE88mmuPNIkBocrF/finalize\"}" size=402 status=200 user-agent=pve-acme/0.1 user-id=
May 30 10:24:51 step-ca step-ca[6598]: time="2026-05-30T10:24:51-04:00" level=error duration=13.179674ms duration-ns=13179674 error="error finalizing order: error signing certificate for order 9hmQaifWupFMzPjNNE88mmuPNIkBocrF: error applying certificate template: cannot unmarshal array at offset 2 into Go value of type string" fields.time="2026-05-30T10:24:51-04:00" method=POST name=ca nonce=TFczVmV4bElmRzhlMmp3cGxnY0ExV2hYQzhTb2hvM2o path=/acme/acme/order/9hmQaifWupFMzPjNNE88mmuPNIkBocrF/finalize protocol=HTTP/1.1 referer= remote-address=PROXMOX-IP-ADDRESS request-id=b5966ec2-89d2-4666-8829-b8ce1595452e response="{\"type\":\"urn:ietf:params:acme:error:serverInternal\",\"detail\":\"The server experienced an internal error\"}" size=105 status=500 user-agent=pve-acme/0.1 user-id=

🖼️ Additional context (optional).

No response

[MickLesk]

@heinemannj

[heinemannj]

@Phenix66

Have you followed below?

#11504 - Chapter: PROXMOX VE Node

[Phenix66]

@Phenix66

Have you followed below?

#11504 - Chapter: PROXMOX VE Node

I didn't use those steps exactly (didn't realize they finally added Custom to the GUI, I'm used to having to add a non-Lets Encrypt server via the shell) but I went ahead and removed my existing config and ran through the steps exactly as written. No difference, same error as before.

[tp199314]

I am experiencing the same error.

[MickLesk]

@heinemannj any progress here? Otherwise we disable the script from website

[heinemannj]

@tp199314, @Phenix66:

Please provide

• a complete and detailed listing of all of your step-ca provisioners,
• the exact entries you have configured within Proxmox VE GUI and
• RTFM ...

#11504

@MickLesk : do the needful ...

[Phenix66]

@heinemannj I don't feel the RTFM comment was necessary when I already replied to your first comment stating that I can follow the steps EXACTLY and receive the same error. Regardless, here is the info you requested:

{
  "provisioners": [
    {
      "type": "SSHPOP",
      "name": "sshpop",
      "claims": {
        "enableSSHCA": true
      }
    },
    {
      "type": "JWK",
      "name": "pki@home.lab",
      "key": {
        "use": "sig",
        "kty": "EC",
        "kid": "ZVpRTS5js-8XUwOav5tjJTFNU6GS2uU7jTeaUpYiXyY",
        "crv": "P-256",
        "alg": "ES256",
        "x": "f-I6oR_V40sz4reRv77mF-s33dNsuhGDfpJ3T2Dm8D0",
        "y": "NFyJ4tA7at1bAd9A1SLVQ3OO6S-6hD-JUgPnyqVR4aU"
      },
      "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoib1d6N3A3S1M1Y0tpaXRHVkZoZjVVdyJ9.Gc-LlvBF-keDvDN1YYx_7vT5WQldOY7ADjkePaK11Y5cC-fq6BW9og.KDYitll7-RrrB84T.bRilsz5G7gbtKO09-D65RFhsm9WV6NzNzZu4zMzJcQXtvdejla886KPupfnWNkMUs5GtjFm98osPmn-2pC6M48hnVHgA_ng_karflw6Osxvbx-tajpqi-QhoT1V5Hfsq5k3z1EstnmZaveW4Fv4iw-n0BwMAeHKZm2DJdNALOfOlV4tuAbj_iGFt_Bo27aZwZoSFaXUXAoK7bmolsCX-PzOsywiULuDSkJUcTlJQWdTMekTd-Mf6M--cL514uM430-Jfcd8uiBFrqC0xHYI0V1k27drfk_QWP8TolLJ4K234pAnyTbXmwJNGJ15oGfvlFrrjNCIQCYj8nQWly98.bavqRIZ__a0Thv_vr0_wuw",
      "claims": {
        "minTLSCertDuration": "48h0m0s",
        "maxTLSCertDuration": "87600h0m0s",
        "defaultTLSCertDuration": "168h0m0s",
        "enableSSHCA": true,
        "disableRenewal": false,
        "allowRenewalAfterExpiry": true,
        "disableSmallstepExtensions": false
      },
      "options": {
        "x509": {
          "template": "{\n\t\"subject\": {\n{{- if .Insecure.User.Country }}\n\t\t\"country\": {{ toJson .Insecure.User.country }},\n{{- else }}\n\t\t\"country\": {{ toJson .country }},\n{{- end }}\n{{- if .Insecure.User.organization }}\n\t\t\"organization\": {{ toJson .Insecure.User.organization }},\n{{- else }}\n\t\t\"organization\": {{ toJson .organization }},\n{{- end }}\n{{- if .Insecure.User.organizationalUnit }}\n\t\t\"organizationalUnit\": {{ toJson .Insecure.User.organizationalUnit }},\n{{- else }}\n\t\t\"organizationalUnit\": {{ toJson .organizationalUnit }},\n{{- end }}\n\t\t\"commonName\": {{ toJson .Subject.CommonName }}\n\t},\n\t\"sans\": {{ toJson .SANs }},\n{{- if typeIs \"*rsa.PublicKey\" .Insecure.CR.PublicKey }}\n\t\"keyUsage\": [\"keyEncipherment\", \"digitalSignature\"],\n{{- else }}\n\t\"keyUsage\": [\"digitalSignature\"],\n{{- end }}\n\t\"extKeyUsage\": [\"serverAuth\", \"clientAuth\"],\n{{- if .Insecure.User.issuingCertificateURL }}\n\t\"issuingCertificateURL\": [{{ toJson .Insecure.User.issuingCertificateURL }}],\n{{- else }}\n\t\"issuingCertificateURL\": [{{ toJson .issuingCertificateURL }}],\n{{- end }}\n{{- if .Insecure.User.crlDistributionPoints }}\n\t\"crlDistributionPoints\": [{{ toJson .Insecure.User.crlDistributionPoints }}]\n{{- else }}\n\t\"crlDistributionPoints\": [{{ toJson .crlDistributionPoints }}]\n{{- end }}\n}\n",
          "templateData": {
            "country": "US",
            "organization": "Homelab, Inc.",
            "organizationalUnit": "Homelab",
            "issuingCertificateURL": [
              "https://ca.home.lab:443/intermediates.pem"
            ],
            "crlDistributionPoints": [
              "https://ca.home.lab:443/crl"
            ]
          }
        },
        "ssh": {}
      }
    },
    {
      "type": "ACME",
      "name": "acme",
      "claims": {
        "minTLSCertDuration": "48h0m0s",
        "maxTLSCertDuration": "87600h0m0s",
        "defaultTLSCertDuration": "168h0m0s",
        "enableSSHCA": true,
        "disableRenewal": false,
        "allowRenewalAfterExpiry": true,
        "disableSmallstepExtensions": false
      },
      "options": {
        "x509": {
          "template": "{\n\t\"subject\": {\n{{- if .Insecure.User.Country }}\n\t\t\"country\": {{ toJson .Insecure.User.country }},\n{{- else }}\n\t\t\"country\": {{ toJson .country }},\n{{- end }}\n{{- if .Insecure.User.organization }}\n\t\t\"organization\": {{ toJson .Insecure.User.organization }},\n{{- else }}\n\t\t\"organization\": {{ toJson .organization }},\n{{- end }}\n{{- if .Insecure.User.organizationalUnit }}\n\t\t\"organizationalUnit\": {{ toJson .Insecure.User.organizationalUnit }},\n{{- else }}\n\t\t\"organizationalUnit\": {{ toJson .organizationalUnit }},\n{{- end }}\n\t\t\"commonName\": {{ toJson .Subject.CommonName }}\n\t},\n\t\"sans\": {{ toJson .SANs }},\n{{- if typeIs \"*rsa.PublicKey\" .Insecure.CR.PublicKey }}\n\t\"keyUsage\": [\"keyEncipherment\", \"digitalSignature\"],\n{{- else }}\n\t\"keyUsage\": [\"digitalSignature\"],\n{{- end }}\n\t\"extKeyUsage\": [\"serverAuth\", \"clientAuth\"],\n{{- if .Insecure.User.issuingCertificateURL }}\n\t\"issuingCertificateURL\": [{{ toJson .Insecure.User.issuingCertificateURL }}],\n{{- else }}\n\t\"issuingCertificateURL\": [{{ toJson .issuingCertificateURL }}],\n{{- end }}\n{{- if .Insecure.User.crlDistributionPoints }}\n\t\"crlDistributionPoints\": [{{ toJson .Insecure.User.crlDistributionPoints }}]\n{{- else }}\n\t\"crlDistributionPoints\": [{{ toJson .crlDistributionPoints }}]\n{{- end }}\n}\n",
          "templateData": {
            "country": "US",
            "organization": "Homelab, Inc.",
            "organizationalUnit": "Homelab",
            "issuingCertificateURL": [
              "https://ca.home.lab:443/intermediates.pem"
            ],
            "crlDistributionPoints": [
              "https://ca.home.lab:443/crl"
            ]
          }
        },
        "ssh": {}
      }
    }
  ],
  "nextCursor": ""
}

And the output of clicking order certificates:

Loading ACME account details
Placing ACME order
Order URL: https://ca.home.lab/acme/acme/order/ouasyviIa7sXGlliGZi6IAIADONPsKyW

Getting authorization details from 'https://ca.home.lab/acme/acme/authz/I0xx7l8MQQWQHMjYkYzO9NOgZWre3M2E'
The validation for proxmox.home.lab is pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds
Status is 'valid', domain 'proxmox.home.lab' OK!

All domains validated!

Creating CSR
Checking order status
Order is ready, finalizing order
TASK ERROR: Error: POST to https://ca.home.lab/acme/acme/order/ouasyviIa7sXGlliGZi6IAIADONPsKyW/finalize {"type":"urn:ietf:params:acme:error:serverInternal","detail":"The server experienced an internal error"} 

[heinemannj]

Your provisioners config looks fine:

• The only difference between the standard installation settings is the name of the ACME provisioner – acme vs acme@{DomainName}.
• You have to adjust all configuration steps accordingly.

My conclusion:

• The step-ca installation script produced a valid step-ca configuration

• Your step-ca service is up and running

• At some point of time the communication between your Proxmox VE Node and your step-ca service is broken

• I CAN'T REPRODUCE this issue and

• for sure this kind of errors are out of installation script support - Please address to PROXMOX and/or smallstep support

[Phenix66]

At some point of time the communication between your Proxmox VE Node and your step-ca service is broken

Highly, highly unlikely. The step-ca container is running on the same node. This is a single node setup. The internal server error is also visible in the service logs on the step-ca container.

for sure this kind of errors are out of installation script support - Please address to PROXMOX and/or smallstep support

"I can't reproduce so go ask another vendor" doesn't seem like the right answer when you have 2 users both reporting the same issue.

@MickLesk I would recommend removal of the script. Something is broken in the config that it provides out of the box and the primary POC seems unwilling to properly support, so that would raise questions of long term viability.

[heinemannj]

Do the needful ...

[MickLesk]

i taken a look into this special tool.. why do you cat the LeafTemplate with [] ?
"cannot unmarshal array at offset 2 into Go value of type string" tell us, that are 2 [[]] values for one var.

This can be here in this case:

"issuingCertificateURL": [
  "https://ca.home.lab:443/intermediates.pem"
]

=> Template:

"issuingCertificateURL": [{{ toJson .issuingCertificateURL }}],

=>

[
  [
    "https://ca.home.lab:443/intermediates.pem"
  ]
]

same for crlDistribitionPoints?

https://github.com/community-scripts/ProxmoxVE/blob/main/install/step-ca-install.sh#L118-L120

---

@Phenix66 can you check following;

cat /etc/step-ca/templates/x509/leaf_data.tpl
grep -A12 -B2 -E 'issuingCertificateURL|crlDistributionPoints' \
  /etc/step-ca/templates/x509/leaf.tpl

How it look like?

If you see double [[, you can try following;

sed -i \
  -e 's/"issuingCertificateURL": \[{{ toJson \.Insecure\.User\.issuingCertificateURL }}\]/"issuingCertificateURL": {{ toJson .Insecure.User.issuingCertificateURL }}/' \
  -e 's/"issuingCertificateURL": \[{{ toJson \.issuingCertificateURL }}\]/"issuingCertificateURL": {{ toJson .issuingCertificateURL }}/' \
  -e 's/"crlDistributionPoints": \[{{ toJson \.Insecure\.User\.crlDistributionPoints }}\]/"crlDistributionPoints": {{ toJson .Insecure.User.crlDistributionPoints }}/' \
  -e 's/"crlDistributionPoints": \[{{ toJson \.crlDistributionPoints }}\]/"crlDistributionPoints": {{ toJson .crlDistributionPoints }}/' \
  /etc/step-ca/templates/x509/leaf.tpl

sed -i \
  's/\.Insecure\.User\.Country/\.Insecure\.User\.country/g' \
  /etc/step-ca/templates/x509/leaf.tpl

and check again with grep -A12 -B2 -E 'issuingCertificateURL|crlDistributionPoints|User.country' \ /etc/step-ca/templates/x509/leaf.tpl

after this (if all look okay) you neet to refresh the provisioner;

step ca provisioner list | jq -r '.[].name' 
--or 
step ca provisioner list

-- acme or acme@home.lab
step ca provisioner update "acme" \
  --x509-template=/etc/step-ca/templates/x509/leaf.tpl \
  --x509-template-data=/etc/step-ca/templates/x509/leaf_data.tpl

systemctl restart step-ca
journalctl -u step-ca -f

If all look okay, PVE Node → System → Certificates → ACME → Order Certificates Now

Its just an try. I never used this tool