[SOLVED] How to force the built in web server to reload SSL key

[tsajuk]

Now that I finally surrendered to the usage of letsencrypt.org the SSL cert and key will have to be changed quite often. Is there a command like for nginx service nginx reload that would ensure that the keys just copied into /etc/pve/local would be used for the next HTTP connections?

But maybe the keys aren't cached but read in for each request ... Does someone know?

BTW: Don't use the horrible bloatware Let's Encrypt is providing. A simple shell script like this one https://github.com/Neilpang/le is enough.

 

[fabian]

You need to execute "systemctl restart pveproxy" on each node that has a changed certificate or key. This will restart the server process serving the web GUI. Note that there will soon be changes regarding SSL certificates used by PVE, which should make deploying commercial (or LE) certificates less error-prone than currently.

 

[tsajuk]

You need to execute "systemctl restart pveproxy"

Thanks, that works like a charm.

which should make deploying commercial (or LE) certificates less error-prone than currently.

Wow, simpler than doing

le issue no node.domain.de
le installcert node.domain.de /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.pem "systemctl restart pveproxy"

once and having a cronjob automatically installed that takes care of the renewal?

 

[fabian]

Just doing that will break a lot (i.e., starting VMs using the default KVM setup with VNC, Spice in general). A mismatch between the cluster CA and the node certificates is not well supported at the moment, which is what will hopefully change soon.