Let’s Encrypt with Proxmox VE

Any ideas why this isn't being scripted fully? I mean, proxmox is obviously a controlled environment, so it's not like there are variations.
 
better (and GUI) integration would be nice, I agree.
 
GUI for what? Shouldnt be any configuration needed.

enabling "Let's Encrypt" mode for a node, and reverting back to self signed (at least).
 
Hello,

We have HA confgured between 2 nodes in proxmox 4.2 but issue came node reload which containf Vm and another node is up.

When we change node to node 2. node 2 started reloading and bode 1 is up

please help on that

-Aniket
 
This is how I did it on four nodes:

https://blog.k0nsl.org/2016/09/01/lets-encrypt-tls-ssl-for-proxmox-ve/

Best wishes,
-k0nsl

please don't post wrong information on the internet ;) there is a documented way to get Proxmox to use third party certificates for the web interface, including ones issued by Let's Encrypt: https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer)

just replacing the self-signed certificates creates problems - for example, adding new nodes and spice are broken.
 
I see. Thank you for correcting me. I had only tried this on separate nodes and that works fine and doesn't break anything — it hasn't for me, anyway.
I'll try follow the guide on the Proxmox VE Wiki next time.

[EDIT: I've added a small note in the blog post about what you wrote, Fabian.]

Thanks.
-k0nsl

please don't post wrong information on the internet ;) there is a documented way to get Proxmox to use third party certificates for the web interface, including ones issued by Let's Encrypt: https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer)

just replacing the self-signed certificates creates problems - for example, adding new nodes and spice are broken.
 
Last edited:
Hi there, i've successfully update a certificate for one server, but for another one it updates but it seems not recognized by the proxmox proxy.
The issuing of the certifiacte went fine.

this is the log,

Sep 27 10:25:51 XXXXXXX systemd[1]: Starting PVE API Proxy Server...
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: starting server
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: starting 3 worker(s)
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: worker 6217 started
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: worker 6218 started
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: worker 6219 started
Sep 27 10:25:51 XXXXXXX systemd[1]: Started PVE API Proxy Server.

and there's no sign that it's using the certificate, in fact it does not work.

the only difference between the two server is the version. the one not working conrrectly is: pve-manager/4.1-5/f910ef5c (running kernel: 4.2.6-1-pve)

any idea if there's something more to set in order to let the proxy recognize the certificate?
 
I've successfully followed the instructions and am happily using my letsencrypt certificate but I have a few questions left:

- how come authentication via port 80 worked? I am not blocking it but neither was I aware there was anything running as proxmox is running on port 8006 so how does this work?
- can someone look at the cron job given in the wiki? That looks very dodgy to me, feels like a few too many "s are in there. Original:
Code:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
works for me:
Code:
0 0 * * * /root/.acme.sh/acme.sh --cron --home /root/.acme.sh > /dev/null
 
I've successfully followed the instructions and am happily using my letsencrypt certificate but I have a few questions left:

- how come authentication via port 80 worked? I am not blocking it but neither was I aware there was anything running as proxmox is running on port 8006 so how does this work?
- can someone look at the cron job given in the wiki? That looks very dodgy to me, feels like a few too many "s are in there. Original:
Code:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
works for me:
Code:
0 0 * * * /root/.acme.sh/acme.sh --cron --home /root/.acme.sh > /dev/null
Hi,
acme.sh open port 80 during runtime.

Udo
 
  • Like
Reactions: Ovidiu
I've successfully followed the instructions and am happily using my letsencrypt certificate but I have a few questions left:

- how come authentication via port 80 worked? I am not blocking it but neither was I aware there was anything running as proxmox is running on port 8006 so how does this work?

like udo said - acme.sh temporarily runs a small webserver (it's actually just netcat ;)) to do the verification, at least when called in standalone mode.

- can someone look at the cron job given in the wiki? That looks very dodgy to me, feels like a few too many "s are in there. Original:
Code:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
works for me:
Code:
0 0 * * * /root/.acme.sh/acme.sh --cron --home /root/.acme.sh > /dev/null

the quotes are there for the usual reason - mainly to escape whitespace in paths. it's perfectly okay to mix quoted and unquoted strings like that - acme.sh knows that its script has a file name without spaces, so it only escapes the rest of the path (which is user-controlled).
 
thanks @fabian, the point is that beneath that, it said to test and that didn't work so I changed my cronjob. Does this work for you?
Code:
It's a good idea to test the cron entry by running it manually from the command line to check that it's working OK:

"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
 
thanks @fabian, the point is that beneath that, it said to test and that didn't work so I changed my cronjob. Does this work for you?
Code:
It's a good idea to test the cron entry by running it manually from the command line to check that it's working OK:

"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"

what was the error message?
 
@fabian : sorry, the mistake was sitting in front of the PC this time :-(
I assumed the outer "" were part of the quote so I tried:
Code:
/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh
I just realized it actually works exactly as suggested in the wiki.

Sorry for the fuss, just wanted to make sure the wiki is correct.
 
@fabian : sorry, the mistake was sitting in front of the PC this time :-(
I assumed the outer "" were part of the quote so I tried:
Code:
/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh
I just realized it actually works exactly as suggested in the wiki.

Sorry for the fuss, just wanted to make sure the wiki is correct.

no problem, now I see how that can be confusing - I will add a small hint!
 
I have followed the steps in the guide (https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer)#Prerequisites) I have gotten to step 5. where it say to exicute acme.sh --issue --standalone --keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy" -d $DOMAIN and it says
[Tue Feb 21 00:06:40 EST 2017] Standalone mode.
[Tue Feb 21 00:06:40 EST 2017] LISTEN 0 128 :::80 :::* users:(("apache2",pid=13662,fd=4),("apache2",pid=13661,fd=4),("apache2",pid=1240,fd=4))
[Tue Feb 21 00:06:40 EST 2017] tcp port 80 is already used by 80
[Tue Feb 21 00:06:40 EST 2017] Please stop it first
[Tue Feb 21 00:06:40 EST 2017] _on_before_issue.
Does anyone know who to resolve this?
 
I have followed the steps in the guide (https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer)#Prerequisites) I have gotten to step 5. where it say to exicute acme.sh --issue --standalone --keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy" -d $DOMAIN and it says

Does anyone know who to resolve this?
Hi,
you have allready an program running, which bind port 80.

Look with
Code:
ss -patn | grep 80
which program use port 80 and stop this.

Udo
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!