Let’s Encrypt with Proxmox VE

[rafafell]

Proxmox could use a certbot (https://certbot.eff.org/);)

 

[fabian]

Proxmox could use a certbot (https://certbot.eff.org/);)

acme.sh is much much smaller and simpler to use IMHO. but if you want, you can use certificates by any other CA, or certificates from Let's Encrypt which you retrieved manually or with another client (such as certbot) - just make sure to put the certificate chain and key into the correct place, and restart pveproxy afterwards - as described in the HowTo in the wiki.

 

[mruepp]

I guess with proxmox hosts behind firewall and private ip space, letsencrypt does not work. Am I right? So if i have host.internal.domain with 10.x.x.x, is there a best practice to get a proxmox cluster working with lets encrypt behind firewall?

 

[udo]

I guess with proxmox hosts behind firewall and private ip space, letsencrypt does not work. Am I right? So if i have host.internal.domain with 10.x.x.x, is there a best practice to get a proxmox cluster working with lets encrypt behind firewall?

Hi,
it's work with port-forwarding (if you have enough IPs for all hosts), but you can also use an proxy for that (only one IP needed). I use haproxy for this.

Udo

 

[mruepp]

Hi, thx.

You have to have Split DNS though, I guess? So if i have host pve01.company.domain pointing to 10.x.x.x on our external dns which is never resolvable, it won´t work, right? Or are you issuing the same cert to all hosts in the cluster? E.g. do you define for instance proxmox.company.domain to official ip and let every proxmox host use the same hostname for the certificate?

Thx

 

[mruepp]

Cool I just saw that acme.sh will support dns-01 mode which doesnt rely on port 80. Will try and report back!

 

[udo]

Hi, thx.

You have to have Split DNS though, I guess? So if i have host pve01.company.domain pointing to 10.x.x.x on our external dns which is never resolvable, it won´t work, right? Or are you issuing the same cert to all hosts in the cluster? E.g. do you define for instance proxmox.company.domain to official ip and let every proxmox host use the same hostname for the certificate?

Thx

Hi,
i use letsencrypt with an own script - slightly different to the pve-wiki-version.
All node-hostnames (plus one clusteraddress) are cnames to the haproxy on the external DNS - like:

pve.domain.org IN CNAME proxy.domain.org.
pve-a.domain.org IN CNAME proxy.domain.org.
pve-b.domain.org IN CNAME proxy.domain.org.
pve-c.domain.org IN CNAME proxy.domain.org.

the haproxy forward all http-request for this adresses to the first pve-node.
The script on this node build one certificate, with all adresses included (this is different to the normal pve-way).

So all cluster-nodes use the same certificate - and I can access pve.domain.org:8006 (internaly or externaly) via haproxy and the target is one of the nodes - and all have an valid certificate - equal if pve-a or pve-c is the target.

Udo

 

[fabian]

Cool I just saw that acme.sh will support dns-01 mode which doesnt rely on port 80. Will try and report back!

just be aware that certificates need to be renewed every X weeks - you really want to automate the renewal and re-deployment

 

[mruepp]

Yes, acme.sh supports route53 or other dns providers which provides fully automated renewal by creating txt records automatically

 

[Dura]

I enabled ssl with Certbot for my website, it was not that straightforward. Would it be better to use this solution? Why? How?

 

[Chiaki]

I'm having problems renewing my certificate with acme.sh ...

I get a 400 bad request when the verification should happen.

I have no firewall running, so the port shouldn't be blocked.

Anyone else having problems?

 

[bboy8012]

U

Hi,
i use letsencrypt with an own script - slightly different to the pve-wiki-version.
All node-hostnames (plus one clusteraddress) are cnames to the haproxy on the external DNS - like:

pve.domain.org IN CNAME proxy.domain.org.
pve-a.domain.org IN CNAME proxy.domain.org.
pve-b.domain.org IN CNAME proxy.domain.org.
pve-c.domain.org IN CNAME proxy.domain.org.

the haproxy forward all http-request for this adresses to the first pve-node.
The script on this node build one certificate, with all adresses included (this is different to the normal pve-way).

So all cluster-nodes use the same certificate - and I can access pve.domain.org:8006 (internaly or externaly) via haproxy and the target is one of the nodes - and all have an valid certificate - equal if pve-a or pve-c is the target.

Udo

Udo, would you mind sharing the script?

 

[udo]

U

Udo, would you mind sharing the script?

Hi,
yes of course

#!/bin/bash
#
# le_cert_renew.sh renew certificates if nessesary
# (ul) 20161029 first version

# start simple http-server
cd /opt/acmefetch/www
python3 -m http.server 8080&
http_pid=\$(ps aux | grep "python3 -m http.server 8080" | grep -v grep | awk '{ print \$2 }')


/opt/acmefetch/bin/acmefetch --cfg=/opt/acmefetch/etc/acmefetch.cfg

# stop http-server
kill \$http_pid

# at the first run pveproxy-ssl.key don't excist
if [[ ! -e /etc/pve/local/pveproxy-ssl.key ]]
then
  touch /etc/pve/local/pveproxy-ssl.key
fi

if [[ \$(diff -q /etc/ssl/private/pveproxy-ssl.key /etc/pve/local/pveproxy-ssl.key) ]]
 then
   nodes=\$(ls /etc/pve/nodes)
   for i in \$nodes
    do
     [[ -e /etc/ssl/private/pveproxy-ssl.key ]] && cp -p /etc/ssl/private/pveproxy-ssl.key /etc/pve/nodes/\$i/
     [[ -e /etc/ssl/certs/pveproxy-ssl.pem ]] && cat /etc/ssl/certs/pveproxy-ssl.pem > /etc/pve/nodes/\$i/pveproxy-ssl.pem
     [[ -e /etc/ssl/certs/pveproxy-ssl-chain.pem ]] && cat /etc/ssl/certs/pveproxy-ssl-chain.pem >> /etc/pve/nodes/\$i/pveproxy-ssl.pem
     ssh \$i service pveproxy restart
   done
fi

This script based on acmefetch from Tobi Oetiker (download the latest version https://github.com/oetiker/AcmeFetch/releases/latest)

Udo

 

[hellooperator]

I have let's encrypt working (home server with DDNS) but my acme.sh script is putting the certificate in the Wordpress directory.

I don't know how or where to put the key so the console will work on an iPad (safari)


Currently,

* PVE manager comes up properly with a secure lock icon https://mydomain.com:8006 works
* any attempt to use a no vnc console says "failed to connect to server"
* no vnc works OK from a computer running chrome inside the network after accepting a self signed cert. iPad or iPhone, no workee.
* the cert script is running in a container inside proxmox. TBH, I don't know how to move it securely and to have that recur.

 

[bofh]

@hello

ofc its not working. novnc is just a vnc client that need to connect to the vnc port

that said.
using letsencrypt makes no that much sense except you have customer wanna access your host.
it wont anything to security, in contrary a privatly signed cert if done right is always more secure than a public cert, its just not authenticated to the public.
but if you can prevent it never access the host from the internet

 

[cmonty14]

Hi!
I want to use my CAs created with Certbot for Let's Encrypt.
The PVE server is not accessible from internet but locally only.

I followed the instructions in Wiki to copy the LE certificates (fullchain.pem and privkey.pem) to the target directory /etc/pve/nodes/<node>/:
mv fullchain.pem /etc/pve/nodes/<node>/pveproxy-ssl.pem
mv privkey.pem /etc/pve/nodes/<node>/pveproxy-ssl.key

After restarting service pveproxy there's no error reported:
Dez 29 18:02:28 pc4-svp systemd[1]: Stopped PVE API Proxy Server.
Dez 29 18:02:28 pc4-svp systemd[1]: Starting PVE API Proxy Server...
Dez 29 18:02:29 pc4-svp pveproxy[30298]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interf
Dez 29 18:02:29 pc4-svp pveproxy[30319]: starting server
Dez 29 18:02:29 pc4-svp pveproxy[30319]: starting 3 worker(s)
Dez 29 18:02:29 pc4-svp pveproxy[30319]: worker 30320 started
Dez 29 18:02:29 pc4-svp pveproxy[30319]: worker 30321 started
Dez 29 18:02:29 pc4-svp pveproxy[30319]: worker 30322 started
Dez 29 18:02:29 pc4-svp systemd[1]: Started PVE API Proxy Server.

However, when I open the WebUI using this URL https://<PVE-hostname>:8006/ I still get this warning in browser (e.g. Firefox): Connection is not secured

How can I secure the connection?

THX

 

[udo]

How can I secure the connection?

Hi,
you must use the fqdn which are in the cert.

pve isn't enough. Must be something like pve.domain.tld.

Udo

 

[cmonty14]

Hi,
you must use the fqdn which are in the cert.

pve isn't enough. Must be something like pve.domain.tld.

Udo

Solved!
THX

 

[harvie]

I wish i could obtain letsencrypt certificates from PVE web UI.

 

[esrevart]

Change suggestions for the wiki instructions after following them on a fresh PVE 5.3 install:

1) Install acme.sh: neither git nor unzip are installed by default, so a better one-liner that works to download and extract the archive is:

wget github.com/Neilpang/acme.sh/archive/master.tar.gz -O - | tar xz

5) Issue your first certificate:

• mention the recently added support for wildcard certs (use -d *.domain to enable it)
• mention ECDSA cert support (add --keylength ec-{256,384})

Updating acmesh: mention auto-upgrade support

acme.sh --upgrade --auto-upgrade

(parameter is set in /etc/pve/.le/account.conf)

I wanted to edit the wiki to add them myself, but that's when I realized it wasn't open to registration (which is a good thing actually )

Thanks

PS: I had included links to the sources of the changes I mention (wildcart cert, ECDSA and auto-upgrade support) but as I just registered I'm not authorized to post external links. So here they go in "obfuscated" form (no https and no embedded link is enough it seems):

community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579
github.com/Neilpang/acme.sh#10-issue-wildcard-certificates
github.com/Neilpang/acme.sh#9-issue-ecc-certificates
github.com/Neilpang/acme.sh#13-how-to-upgrade-acme.sh