Built-in SSL certificate renewal?

C

Chris Douglas

New Member
Apr 24, 2024
4
1
3
I have a pve-ssl.pem that expires on May 24th (the matching pve-root-ca.pem does not expire until May 2032), the default-on-creation /OU=PVE Cluster Node/O=Proxmox Virtual Environment/ certificate.

It is not in the ACME section of the certificates area of my Proxmox node. Is this going to self-renew or do I have to do so - and if so, how? I've looked but can't find resources for doing this if it's not ACME. I am coming from an oVirt world where if you don't renew certificates before they expire terrible things happen to the engine, so I'm somewhat worried about getting this done before it runs out.

Thanks
 
Chris Douglas said:
It is not in the ACME section of the certificates area of my Proxmox node. Is this going to self-renew or do I have to do so - and if so, how?
Click to expand...
You will have to renew that certificate manually. How you renew a certificate, depends on your certificate vendor. After you got a new/renewed certificate from your vendor, you can upload it to PVE just as you uploaded your first certificate.

Automatic Renewal only works with ACME, as ACME isn't a type of certificate, but rather the process for getting a new certificate automatically. So a static certificate can't just be renewed by PVE because there is no defined process to do so.
 
This is the certificate & CA that Proxmox itself set up when I installed the server 2 years ago - I never uploaded it, it was just there after the installation was completed. This is part of why I'm confused as to what to do.
 
Chris Douglas said:
This is the certificate & CA that Proxmox itself set up when I installed the server 2 years ago - I never uploaded it, it was just there after the installation was completed. This is part of why I'm confused as to what to do.
Click to expand...
This is just a self-signed certificate as we consider using HTTPS with that better than no HTTPS at all (not ideal, but probably better than nothing). If your certificate expires it's actually not much different from the self-signed cert, you will have to trust it explicitly to keep using the GUI. If the certificate is valid, that shouldn't be required.
 
Ah, so you're saying that the VMs themselves don't actually rely on it in order to keep running within the Proxmox environment? This might be what threw me, oVirt very much requires certificates to do this. I do have a certificate based on our domain name as well in that section, that I use for HTTPS access to Proxmox; my worry was that the VMs would stop working if the default one that was generated on install expires.
 
you can regenerate it with pvecm updatecerts -f, but IIRC the only thing the self-signed CA and cert is used for if you have a custom/ACME cert is pinning SPICE connections..
 
  • Like
Reactions: weehooey and Chris Douglas
Thank you very much - I've just run that and the certificate is now showing with a 2026 expiry date. :) I'll make a note of that for next time!
 
  • Like
Reactions: fabian
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back