I would just go with running acme.sh directly from the CLI — or Certbot, like I suggested in my first answer.
I mean, sure, it would be great if Proxmox could do wildcard certs natively, but unfortunately it can’t (yet).
Of course, there are many other possibilities, but since you seem to rule out all alternatives categorically and have decided that Wildcard certificates are necessary and that the Proxmox host itself must obtain them, the only real option is to use an ACME client from the command line. As Proxmox is based on Debian, which is a standard Linux system, it shouldn't be too difficult to write a short script to move the certificates to the correct location and restart the relevant PVE services.
If you have another physical host, you could install the ACME client there. Then you might be able to upload the certificates via the PVE API (haven't tested this), so you don’t have to give that host root permissions on your PVE host: https://forum.proxmox.com/threads/upload-custom-cert-via-proxmox-api.101300/
However, this would only make things more complicated, and if your PVE hosts go down, it won't help if your ACME client is still up, unless these wildcard certs are also used elsewhere.
@janus57 Bastion Hosts is a completely different topic, although it can of course make sense to have something like that, because exposing management interfaces to a client network in a larger company is almost as bad as exposing them to the internet. In a home lab or small business however, it would proabably be overkill ;-)
I mean, sure, it would be great if Proxmox could do wildcard certs natively, but unfortunately it can’t (yet).
Of course, there are many other possibilities, but since you seem to rule out all alternatives categorically and have decided that Wildcard certificates are necessary and that the Proxmox host itself must obtain them, the only real option is to use an ACME client from the command line. As Proxmox is based on Debian, which is a standard Linux system, it shouldn't be too difficult to write a short script to move the certificates to the correct location and restart the relevant PVE services.
If you have another physical host, you could install the ACME client there. Then you might be able to upload the certificates via the PVE API (haven't tested this), so you don’t have to give that host root permissions on your PVE host: https://forum.proxmox.com/threads/upload-custom-cert-via-proxmox-api.101300/
However, this would only make things more complicated, and if your PVE hosts go down, it won't help if your ACME client is still up, unless these wildcard certs are also used elsewhere.
@janus57 Bastion Hosts is a completely different topic, although it can of course make sense to have something like that, because exposing management interfaces to a client network in a larger company is almost as bad as exposing them to the internet. In a home lab or small business however, it would proabably be overkill ;-)
Last edited:
