Are you going to add built-in support for Let's Encrypt?

Colin 't Hart

Well-Known Member
Jan 20, 2017
56
6
48
51
Frösön, Sweden
www.hiawathaavenue.com
Hi,

Recent versions of Proxmox VE have a built-in ACME client which works really well (we use DNS domain validation).
Are you going to add this same support into PBS?

I don't see it on the roadmap.

If so, for installs where the PBS is installed to the same host OS install as PVE (ie hostname:8006 is PVE and hostname:8007 is PBS) it would be even better if this could be integrated, but that might be difficult to do.

Thanks,

Colin
 
hi,

I don't see it on the roadmap.
yeah, it will probably get implemented eventually :)

If so, for installs where the PBS is installed to the same host OS install as PVE (ie hostname:8006 is PVE and hostname:8007 is PBS) it would be even better if this could be integrated, but that might be difficult to do.
if you have a valid cert for your PVE host on the same machine, you can just copy them over for PBS as well:
Code:
cp /etc/letsencrypt/live/<domain>/fullchain.pem /etc/proxmox-backup/proxy.pem
cp /etc/letsencrypt/live/<domain>/privkey.pem /etc/proxmox-backup/proxy.key
chown backup:backup /etc/proxmox-backup/proxy.*
 
  • Like
Reactions: Colin 't Hart
Hier ist anscheinend Vorsicht geboten. Ändert sich das Zertifikat, ändert sich anscheinend auch der Fingerprint welcher im PVE Host angegeben wird. Habe es gerade getestet und mich gewundert warum mein PBS Storage einen Fehler hat nach dem Zertifikatstausch. Somit müsste man also ein Zertifikatstauschscript so abändern, dass es den Fingerprint aus dem aktuellen Zertifikat ausliest und im PVE storage.cfg aktualisiert.
Vermutlich müsste man dazu den vorherigen Fingerprint suchen und mit dem neuen ersetzen. Das nötige Tool dürfte sed sein, aber das übersteigt meine Kentnisse.
 
Last edited:
Hier mal mein aktuelles Script:

#!/bin/bash
###Check if Certificate is valid for the next 33 days###
if openssl x509 -checkend $(( 24*3600*33 )) -noout -in /etc/letsencrypt/live/domain.tld/fullchain.pem
then
echo "Certificate is valid for the next 33 days!"
else
echo "Certificate will be renewed"
###Copy Certificates to PMG###
scp /etc/letsencrypt/live/domain.tld/fullchain.pem 192.168.1.1:/etc/pve/nodes/pve/pveproxy-ssl.pem
scp /etc/letsencrypt/live/domain.tld/privkey.pem 192.168.1.1:/etc/pve/nodes/pve/pveproxy-ssl.key
scp /etc/letsencrypt/live/domain.tld/fullchain.pem 192.168.1.1:/etc/proxmox-backup/proxy.pem
scp /etc/letsencrypt/live/domain.tld/privkey.pem 192.168.1.1:/etc/proxmox-backup/proxy.key
###PVE Proxy restart###
ssh 192.168.1.1 'service pveproxy restart'
###PBS Proxy restart###
###Set Permissions###
ssh 192.168.1.1 'chmod 640 /etc/proxmox-backup/proxy.key'
ssh 192.168.1.1 'chmod 640 /etc/proxmox-backup/proxy.pem'
###Restart PMGProxy###
ssh 192.168.1.1 'systemctl restart proxmox-backup-proxy'
ssh 192.168.1.1 'systemctl restart proxmox-backup-proxy'


Wäre dankbar wenn jemand Tips geben könnte wie das Script vorher den Fingerprint ausliest und mit dem aus dem aktualisierten Zertifikat aktualisiert in der /etc/pve/storage.cfg
 
Last edited:
It is working when deleting the fingerprint but you have to use a domain not a ip for the pbs server connect from pve to pbs. Otherwise the hostname does not match the certificate and you get an error. So you need a matching certificate for your pbs. This is only possible when using internal domain like your external domain and get a wildcard certificate from Lets Encrypt. I have my internal domain like my external domain and i can use the wildcard cert on all my internal servers:
public domain = external.net
internal active directory domain = external.net
my server names = pve.external.net, pbs.external.net
wildcard cert = *.external.net (all server internal and external can use it)
 
You can use what ever you want to get a public certificate from LE. But your sever names must match the certificate name. And LE only give certificates for public domains and not for local domains like "mydomain.local". Thats why you must use internal server names that match your public domain. Only than the LE certificate will be valid for your internal hosted PBS server.
 
OK

But you can either:
1. Use a public domain and create internal names for that using Let's Encrypt.
or
2. Setup your own CA and make your internal machines trust that CA.

Personally I would use approach 1. Then automate using Let's Encryt. Domains are pretty cheap and your time costs money too. Setting up your own CA will probably take more time (at least fewer people know how to do it).

Or just keep entering the fingerprint everywhere... if you generate your own certificates you can make them valid for like 10 years so you will very rarely have to update the fingerprint.

Finally, I don't know why you didn't create a new thread for this topic. I asked the first question about adding LE support to PBS. Your topic is about having to update the fingerprint when you change certs.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!