Proxmox could use a certbot (https://certbot.eff.org/);)
Hi,I guess with proxmox hosts behind firewall and private ip space, letsencrypt does not work. Am I right? So if i have host.internal.domain with 10.x.x.x, is there a best practice to get a proxmox cluster working with lets encrypt behind firewall?
Hi,Hi, thx.
You have to have Split DNS though, I guess? So if i have host pve01.company.domain pointing to 10.x.x.x on our external dns which is never resolvable, it won´t work, right? Or are you issuing the same cert to all hosts in the cluster? E.g. do you define for instance proxmox.company.domain to official ip and let every proxmox host use the same hostname for the certificate?
Thx
pve.domain.org IN CNAME proxy.domain.org.
pve-a.domain.org IN CNAME proxy.domain.org.
pve-b.domain.org IN CNAME proxy.domain.org.
pve-c.domain.org IN CNAME proxy.domain.org.
Cool I just saw that acme.sh will support dns-01 mode which doesnt rely on port 80. Will try and report back!
Udo, would you mind sharing the script?Hi,
i use letsencrypt with an own script - slightly different to the pve-wiki-version.
All node-hostnames (plus one clusteraddress) are cnames to the haproxy on the external DNS - like:
the haproxy forward all http-request for this adresses to the first pve-node.Code:pve.domain.org IN CNAME proxy.domain.org. pve-a.domain.org IN CNAME proxy.domain.org. pve-b.domain.org IN CNAME proxy.domain.org. pve-c.domain.org IN CNAME proxy.domain.org.
The script on this node build one certificate, with all adresses included (this is different to the normal pve-way).
So all cluster-nodes use the same certificate - and I can access pve.domain.org:8006 (internaly or externaly) via haproxy and the target is one of the nodes - and all have an valid certificate - equal if pve-a or pve-c is the target.
Udo
Hi,U
Udo, would you mind sharing the script?
#!/bin/bash
#
# le_cert_renew.sh renew certificates if nessesary
# (ul) 20161029 first version
# start simple http-server
cd /opt/acmefetch/www
python3 -m http.server 8080&
http_pid=\$(ps aux | grep "python3 -m http.server 8080" | grep -v grep | awk '{ print \$2 }')
/opt/acmefetch/bin/acmefetch --cfg=/opt/acmefetch/etc/acmefetch.cfg
# stop http-server
kill \$http_pid
# at the first run pveproxy-ssl.key don't excist
if [[ ! -e /etc/pve/local/pveproxy-ssl.key ]]
then
touch /etc/pve/local/pveproxy-ssl.key
fi
if [[ \$(diff -q /etc/ssl/private/pveproxy-ssl.key /etc/pve/local/pveproxy-ssl.key) ]]
then
nodes=\$(ls /etc/pve/nodes)
for i in \$nodes
do
[[ -e /etc/ssl/private/pveproxy-ssl.key ]] && cp -p /etc/ssl/private/pveproxy-ssl.key /etc/pve/nodes/\$i/
[[ -e /etc/ssl/certs/pveproxy-ssl.pem ]] && cat /etc/ssl/certs/pveproxy-ssl.pem > /etc/pve/nodes/\$i/pveproxy-ssl.pem
[[ -e /etc/ssl/certs/pveproxy-ssl-chain.pem ]] && cat /etc/ssl/certs/pveproxy-ssl-chain.pem >> /etc/pve/nodes/\$i/pveproxy-ssl.pem
ssh \$i service pveproxy restart
done
fi
Hi,How can I secure the connection?
Hi,
you must use the fqdn which are in the cert.
pve isn't enough. Must be something like pve.domain.tld.
Udo
wget github.com/Neilpang/acme.sh/archive/master.tar.gz -O - | tar xz
acme.sh --upgrade --auto-upgrade