Let’s Encrypt with Proxmox VE

[martin]

Proxmox VE now works with the free certificates from the Let’s Encrypt Certificate Authority.

Free, automated and open. Nice!

Here is the HowTo for Proxmox VE
http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration
__________________

Best regards,

Martin Maurer
Proxmox VE project leader

 

[iptgeek]

Very Cool Martin - thanks for this.

 

[JonathanB19]

I'm a bit confused about step 4 of the instructions. They say you need to use the firewall to "allow traffic to port 80". I'm not sure I understand that. The firewall on a default installation is off, isn't it? Even if it wasn't, what needs to "allow" it? Nothing is listening on port 80. Do you mean outbound traffic?

 

[iptgeek]

Hi jonathan

the LE client will listen for a request from the LE servers to verify that you indeed are at that IP address with that hostname.

So you should allow traffic <> your proxmox install :80 while you are running this process.

B

 

[JonathanB19]

Oh I see. But the default for PVE is that the firewall is off, no? So having to open up port 80 for the LE client (and presumably also for renewal - would you need to modify the renewal script to do that?) is only for the minority, I assume.

 

[fabian]

Oh I see. But the default for PVE is that the firewall is off, no? So having to open up port 80 for the LE client (and presumably also for renewal - would you need to modify the renewal script to do that?) is only for the minority, I assume.

This does not only concern the proxmox firewall, but any firewall inbetween the node and the public internet. So yes, while proxmox itself does not block this (by default), a site / data center / .. firewall might, so I figured it's better to warn upfront than fail when verifying. Better wording is of course always welcome

 

[JonathanB19]

OK thanks - I just edited the wiki page to clarify step 4.

 

[a5m0deu5]

cool just set this up fine using the guide!

 

[arowan]

le.sh is now acme.sh on the new commit

 

[fabian]

I will update the wiki article later today with the new repository URI and option syntax.

 

[fabian]

Wiki updated for acme.sh - the configuration migration from le.sh to acme.sh seems to work without problems, if you experience any issues please report back.

No more manual fiddling with configuration files or cron jobs necessary, the install command now allows setting the config path, account key path and email address directly on the command line

 

[arowan]

Thanks

 

[AlphaHost]

root@sa223:~/acme.sh-master# acme.sh --issue --standalone --keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy" -d www.domain.com
[So 24. Apr 23:44:57 CEST 2016] Standalone mode.
[So 24. Apr 23:44:58 CEST 2016] Only RSA or EC key is supported.

whats wrong?
no firewall or iptables active


netstat -tulpn | grep :80
tcp 0 0 0.0.0.0:8006 0.0.0.0:* LISTEN 17474/pveproxy

 

[fabian]

Is that the complete output? does the acme.sh script hang at that point or exit? if you add "--debug" to the command line it will print detailled output of the individual steps, you could post that here (but make sure that it does not container your private account or certificate keys)

 

[AlphaHost]

Yes, that's the complete output.
Here the output with --debug:

Spoiler: acme.sh debug

root@sa223:~/acme.sh-master# acme.sh --issue --standalone --keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy" -d www.domain.de --debug
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.conf:1:Le_Domain=www.domain.de
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:2:Le_Alt=no
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:3:Le_Webroot=no
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.conf:4:Le_Keylength=no
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:5:Le_RealCertPath="no"
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:6:Le_RealCACertPath="no"
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/wwwdomain.de /www.domain.de.conf:7:Le_RealKeyPath="/etc/pve/local/pveproxy-ssl.key"
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.sa223.saturn.fastwebserver.de.conf:8:Le_ReloadCmd="systemctl restart pveproxy"
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.conf:9:Le_RealFullChainPath="/etc/pve/local/pveproxy-ssl.pem"
[Mo 25. Apr 07:56:30 CEST 2016] Standalone mode.
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:10:Le_HTTPPort=80
[Mo 25. Apr 07:56:30 CEST 2016] Using: ss
[Mo 25. Apr 07:56:30 CEST 2016] Only RSA or EC key is supported.

 

[fabian]

is either your account ("/etc/pve/.le/account.key") or your domain key ("/root/.acme.sh/www.domain.de/www.domain.de.key") empty or broken? did a previous run of acme.sh exit with errors?

 

[AlphaHost]

Yea, the account.key in "/etc/pve/.le/account.key" is empty, but acme never exited with an error

Edit:

Ahh, deleting the empty account.key and running the install script again solved the problem.
Thank you

 

[RedneckBob]

This is fantastic, thanks!

 

[snowman66]

After renewal: I open browser I get SSL error/mismatch, which says that certificate is issued for mydomain.com but I'm trying to reach mydomain-pve1.mydomain.com. Can I add domain argument in cron job or set default cert. for pveproxy that will point to subdomain mydomain-pve1.mydomain.com and not mydomain.com when I run renewal ?

[jul 13 18:59:01 CEST 2016] Renew: mydomain-pve1.mydomain.com
[jul 13 18:59:01 CEST 2016] Skip, Next renewal time is: sep 29 05:44:25 UTC 2016
[jul 13 18:59:01 CEST 2016] Skipped mydomain-pve1.mydomain.com
[jul 13 18:59:01 CEST 2016] Renew: mydomain.com
[jul 13 18:59:01 CEST 2016] Skip, Next renewal time is: sep 29 05:44:43 UTC 2016
[jul 13 18:59:01 CEST 2016] Skipped mydomain.com

 

[fabian]

If you follow the instructions, you will get a certificate that works - not sure what you did.. you can always delete the existing files and start from scratch..