Let’s Encrypt with Proxmox VE

Discussion in 'Proxmox VE: Installation and configuration' started by martin, Apr 8, 2016.

  1. martin

    martin Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    633
    Likes Received:
    319
    MimCom, carlosmora, fireon and 9 others like this.
  2. iptel

    iptel New Member
    Proxmox Subscriber

    Joined:
    Mar 3, 2016
    Messages:
    19
    Likes Received:
    0
    Very Cool Martin - thanks for this.
     
  3. JonathanB19

    JonathanB19 Member
    Proxmox Subscriber

    Joined:
    Dec 15, 2015
    Messages:
    34
    Likes Received:
    1
    I'm a bit confused about step 4 of the instructions. They say you need to use the firewall to "allow traffic to port 80". I'm not sure I understand that. The firewall on a default installation is off, isn't it? Even if it wasn't, what needs to "allow" it? Nothing is listening on port 80. Do you mean outbound traffic?
     
  4. iptel

    iptel New Member
    Proxmox Subscriber

    Joined:
    Mar 3, 2016
    Messages:
    19
    Likes Received:
    0
    Hi jonathan

    the LE client will listen for a request from the LE servers to verify that you indeed are at that IP address with that hostname.

    So you should allow traffic <> your proxmox install :80 while you are running this process.

    B
     
  5. JonathanB19

    JonathanB19 Member
    Proxmox Subscriber

    Joined:
    Dec 15, 2015
    Messages:
    34
    Likes Received:
    1
    Oh I see. But the default for PVE is that the firewall is off, no? So having to open up port 80 for the LE client (and presumably also for renewal - would you need to modify the renewal script to do that?) is only for the minority, I assume.
     
    fibo_fr likes this.
  6. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,195
    Likes Received:
    494
    This does not only concern the proxmox firewall, but any firewall inbetween the node and the public internet. So yes, while proxmox itself does not block this (by default), a site / data center / .. firewall might, so I figured it's better to warn upfront than fail when verifying. Better wording is of course always welcome ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    gkovacs likes this.
  7. JonathanB19

    JonathanB19 Member
    Proxmox Subscriber

    Joined:
    Dec 15, 2015
    Messages:
    34
    Likes Received:
    1
    OK thanks - I just edited the wiki page to clarify step 4.
     
  8. a5m0deu5

    a5m0deu5 New Member

    Joined:
    Mar 21, 2012
    Messages:
    12
    Likes Received:
    1
    cool just set this up fine using the guide!
     
  9. arowan

    arowan New Member
    Proxmox Subscriber

    Joined:
    Feb 1, 2013
    Messages:
    9
    Likes Received:
    0
    le.sh is now acme.sh on the new commit
     
  10. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,195
    Likes Received:
    494
    I will update the wiki article later today with the new repository URI and option syntax.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,195
    Likes Received:
    494
    Wiki updated for acme.sh - the configuration migration from le.sh to acme.sh seems to work without problems, if you experience any issues please report back.

    No more manual fiddling with configuration files or cron jobs necessary, the install command now allows setting the config path, account key path and email address directly on the command line :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    arowan likes this.
  12. arowan

    arowan New Member
    Proxmox Subscriber

    Joined:
    Feb 1, 2013
    Messages:
    9
    Likes Received:
    0
  13. AlphaHost

    AlphaHost New Member
    Proxmox Subscriber

    Joined:
    Apr 17, 2016
    Messages:
    8
    Likes Received:
    0
    root@sa223:~/acme.sh-master# acme.sh --issue --standalone --keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy" -d www.domain.com
    [So 24. Apr 23:44:57 CEST 2016] Standalone mode.
    [So 24. Apr 23:44:58 CEST 2016] Only RSA or EC key is supported.

    whats wrong?
    no firewall or iptables active


    netstat -tulpn | grep :80
    tcp 0 0 0.0.0.0:8006 0.0.0.0:* LISTEN 17474/pveproxy
     
  14. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,195
    Likes Received:
    494
    Is that the complete output? does the acme.sh script hang at that point or exit? if you add "--debug" to the command line it will print detailled output of the individual steps, you could post that here (but make sure that it does not container your private account or certificate keys)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. AlphaHost

    AlphaHost New Member
    Proxmox Subscriber

    Joined:
    Apr 17, 2016
    Messages:
    8
    Likes Received:
    0
    Yes, that's the complete output.
    Here the output with --debug:

    Code:
    root@sa223:~/acme.sh-master# acme.sh --issue --standalone --keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy" -d www.domain.de --debug
    [Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.conf:1:Le_Domain=www.domain.de
    [Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:2:Le_Alt=no
    [Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:3:Le_Webroot=no
    [Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.conf:4:Le_Keylength=no
    [Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:5:Le_RealCertPath="no"
    [Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:6:Le_RealCACertPath="no"
    [Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/wwwdomain.de /www.domain.de.conf:7:Le_RealKeyPath="/etc/pve/local/pveproxy-ssl.key"
    [Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.sa223.saturn.fastwebserver.de.conf:8:Le_ReloadCmd="systemctl restart pveproxy"
    [Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.conf:9:Le_RealFullChainPath="/etc/pve/local/pveproxy-ssl.pem"
    [Mo 25. Apr 07:56:30 CEST 2016] Standalone mode.
    [Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:10:Le_HTTPPort=80
    [Mo 25. Apr 07:56:30 CEST 2016] Using: ss
    [Mo 25. Apr 07:56:30 CEST 2016] Only RSA or EC key is supported.
     
    #15 AlphaHost, Apr 25, 2016
    Last edited: Apr 25, 2016
  16. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,195
    Likes Received:
    494
    is either your account ("/etc/pve/.le/account.key") or your domain key ("/root/.acme.sh/www.domain.de/www.domain.de.key") empty or broken? did a previous run of acme.sh exit with errors?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. AlphaHost

    AlphaHost New Member
    Proxmox Subscriber

    Joined:
    Apr 17, 2016
    Messages:
    8
    Likes Received:
    0
    Yea, the account.key in "/etc/pve/.le/account.key" is empty, but acme never exited with an error

    Edit:

    Ahh, deleting the empty account.key and running the install script again solved the problem.
    Thank you
     
  18. RedneckBob

    RedneckBob New Member
    Proxmox Subscriber

    Joined:
    Dec 22, 2014
    Messages:
    27
    Likes Received:
    6
    This is fantastic, thanks!
     
  19. snowman66

    snowman66 Member

    Joined:
    Dec 1, 2010
    Messages:
    254
    Likes Received:
    1
    After renewal: I open browser I get SSL error/mismatch, which says that certificate is issued for mydomain.com but I'm trying to reach mydomain-pve1.mydomain.com. Can I add domain argument in cron job or set default cert. for pveproxy that will point to subdomain mydomain-pve1.mydomain.com and not mydomain.com when I run renewal ?

    [jul 13 18:59:01 CEST 2016] Renew: mydomain-pve1.mydomain.com
    [jul 13 18:59:01 CEST 2016] Skip, Next renewal time is: sep 29 05:44:25 UTC 2016
    [jul 13 18:59:01 CEST 2016] Skipped mydomain-pve1.mydomain.com
    [jul 13 18:59:01 CEST 2016] Renew: mydomain.com
    [jul 13 18:59:01 CEST 2016] Skip, Next renewal time is: sep 29 05:44:43 UTC 2016
    [jul 13 18:59:01 CEST 2016] Skipped mydomain.com

     
  20. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,195
    Likes Received:
    494
    If you follow the instructions, you will get a certificate that works - not sure what you did.. you can always delete the existing files and start from scratch..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice