Expiring Letsencrypt certificates and using spice for VDI

E

Eris

Renowned Member
Proxmox Subscriber
Dec 16, 2015
17
3
68
43
itronic.at
I'm testing proxmox for VDI services and using a letsencrypt certificate for the hosts. Most of it works fine, one of the annoying problems is that the LE certificates expires every 3 month which means that the VM needs to be rebooted (stopped and started) to load the new certificates. Which could be a problem if you don't know when the clients are working.

Is there any solution for this?

thanks
 
  • Like
Reactions: aabraham
Eris said:
I'm testing proxmox for VDI services and using a letsencrypt certificate for the hosts. Most of it works fine, one of the annoying problems is that the LE certificates expires every 3 month which means that the VM needs to be rebooted (stopped and started) to load the new certificates. Which could be a problem if you don't know when the clients are working.

Is there any solution for this?

thanks
Click to expand...
Hi Eris! Are you using certbot to obtain your certificates? If so, I think these links could be helpful. :) The first link documents all neccessary steps for installing certbot and the second one contains links and instructions for automatically renewing expired or expiring certificates. If you have any further questions, I'll be happy to help out. :)

Certbot installation guide: https://certbot.eff.org/instructions
Auto-renewal of Let's Encrypt certificates: https://eff-certbot.readthedocs.io/en/stable/using.html#automated-renewals
 
No really, the issue is not the spiceproxy, I tried to restart it but this doesn't solve the problem.
You need to restart the kvm process. What's working is to run qm reboot 123 but as said, it's hard to guess from outside when the VM is not used.
 
  • Like
Reactions: aabraham
Eris said:
No really, the issue is not the spiceproxy, I tried to restart it but this doesn't solve the problem.
You need to restart the kvm process. What's working is to run qm reboot 123 but as said, it's hard to guess from outside when the VM is not used.
Click to expand...
Could you outline in a detailed manner how you have configured your certificates, proxies, and machines?
 
Proxmox 3 node Hyper-converged Cluster setup
Windows 11 VM,
own user with limited rights to VM
Spice with one monitor as display driver (64MB)
2 USB Spice ports
Spice acceleration
No special proxy settings (only using the spiceproxy provided on the Node)

Letsencrypt will be provided by an central server which copies the PEM and KEY file to /etc/pve/pve-www.key, /etc/pve/nodes/*/pveproxy-ssl.{key,pem},pve-ssl.{key,pem}
After update /bin/systemctl restart pveproxy is triggered (but as said /bin/systemctl restart spiceproxy doesn't help)

client using the joshpatten PVE-VDIClient on windows or raspi
 
  • Like
Reactions: aabraham
Eris said:
Proxmox 3 node Hyper-converged Cluster setup
Windows 11 VM,
own user with limited rights to VM
Spice with one monitor as display driver (64MB)
2 USB Spice ports
Spice acceleration
No special proxy settings (only using the spiceproxy provided on the Node)

Letsencrypt will be provided by an central server which copies the PEM and KEY file to /etc/pve/pve-www.key, /etc/pve/nodes/*/pveproxy-ssl.{key,pem},pve-ssl.{key,pem}
After update /bin/systemctl restart pveproxy is triggered (but as said /bin/systemctl restart spiceproxy doesn't help)

client using the joshpatten PVE-VDIClient on windows or raspi
Click to expand...
And you are trying to connect to the Windows VM via the SPICE proxy? Is that correct? Has Spice given you any errors about certificates in the past? (I'm asking because of the forum thread you linked previously.)
 
Eris said:
I'm testing proxmox for VDI services and using a letsencrypt certificate for the hosts. Most of it works fine, one of the annoying problems is that the LE certificates expires every 3 month which means that the VM needs to be rebooted (stopped and started) to load the new certificates. Which could be a problem if you don't know when the clients are working.

Is there any solution for this?

thanks
Click to expand...
You are only allowed to overwrite the certificates located at /etc/pve/local/pveproxy-ssl.pem and /etc/pve/local/pveproxy-ssl.key when you are using custom certificates. The other certificates must be "native" PVE certificates. You can re-generate the "native" certs with the command pvecm updatecerts --force and restart and Qemu instances running. Our documentation about certificate management should also help alleviate the problem you are encountering: https://pve.proxmox.com/wiki/Certificate_Management
 
Eris said:
Proxmox 3 node Hyper-converged Cluster setup
Windows 11 VM,
own user with limited rights to VM
Spice with one monitor as display driver (64MB)
2 USB Spice ports
Spice acceleration
No special proxy settings (only using the spiceproxy provided on the Node)

Letsencrypt will be provided by an central server which copies the PEM and KEY file to /etc/pve/pve-www.key, /etc/pve/nodes/*/pveproxy-ssl.{key,pem},pve-ssl.{key,pem}
After update /bin/systemctl restart pveproxy is triggered (but as said /bin/systemctl restart spiceproxy doesn't help)

client using the joshpatten PVE-VDIClient on windows or raspi
Click to expand...

this is wrong. a custom certificate and key should ONLY go into pveproxy-ssl.{key,pem}. the recommended way to do that is to run pvenode cert set /path/to/cert /path/to/key --force --restart
 
Hi Fabian,

thanks, so if I understand it correctly proxmox uses it's own CA for everythign except the www proxy, the spice files provide the proxmox CA and the VM uses the 2 year valid pvessl.key right?

I recreated the CA and keys for all nodes and added my own keys as you suggest with the pvenode cert set command, and it seams to work. I would expect for 2 years until the certificate expires right?

kind regards
 
the CA is valid for 10 years, the node certs for up to 2 years.
 
  • Like
Reactions: Eris
You must log in or register to reply here.
Top Bottom