Let’s Encrypt with Proxmox VE

I'm a bit confused about step 4 of the instructions. They say you need to use the firewall to "allow traffic to port 80". I'm not sure I understand that. The firewall on a default installation is off, isn't it? Even if it wasn't, what needs to "allow" it? Nothing is listening on port 80. Do you mean outbound traffic?
 
Hi jonathan

the LE client will listen for a request from the LE servers to verify that you indeed are at that IP address with that hostname.

So you should allow traffic <> your proxmox install :80 while you are running this process.

B
 
Oh I see. But the default for PVE is that the firewall is off, no? So having to open up port 80 for the LE client (and presumably also for renewal - would you need to modify the renewal script to do that?) is only for the minority, I assume.
 
  • Like
Reactions: fibo_fr
Oh I see. But the default for PVE is that the firewall is off, no? So having to open up port 80 for the LE client (and presumably also for renewal - would you need to modify the renewal script to do that?) is only for the minority, I assume.

This does not only concern the proxmox firewall, but any firewall inbetween the node and the public internet. So yes, while proxmox itself does not block this (by default), a site / data center / .. firewall might, so I figured it's better to warn upfront than fail when verifying. Better wording is of course always welcome ;)
 
  • Like
Reactions: gkovacs
I will update the wiki article later today with the new repository URI and option syntax.
 
Wiki updated for acme.sh - the configuration migration from le.sh to acme.sh seems to work without problems, if you experience any issues please report back.

No more manual fiddling with configuration files or cron jobs necessary, the install command now allows setting the config path, account key path and email address directly on the command line :)
 
  • Like
Reactions: arowan
root@sa223:~/acme.sh-master# acme.sh --issue --standalone --keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy" -d www.domain.com
[So 24. Apr 23:44:57 CEST 2016] Standalone mode.
[So 24. Apr 23:44:58 CEST 2016] Only RSA or EC key is supported.

whats wrong?
no firewall or iptables active


netstat -tulpn | grep :80
tcp 0 0 0.0.0.0:8006 0.0.0.0:* LISTEN 17474/pveproxy
 
Is that the complete output? does the acme.sh script hang at that point or exit? if you add "--debug" to the command line it will print detailled output of the individual steps, you could post that here (but make sure that it does not container your private account or certificate keys)
 
Yes, that's the complete output.
Here the output with --debug:

Code:
root@sa223:~/acme.sh-master# acme.sh --issue --standalone --keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy" -d www.domain.de --debug
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.conf:1:Le_Domain=www.domain.de
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:2:Le_Alt=no
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:3:Le_Webroot=no
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.conf:4:Le_Keylength=no
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:5:Le_RealCertPath="no"
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:6:Le_RealCACertPath="no"
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/wwwdomain.de /www.domain.de.conf:7:Le_RealKeyPath="/etc/pve/local/pveproxy-ssl.key"
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.sa223.saturn.fastwebserver.de.conf:8:Le_ReloadCmd="systemctl restart pveproxy"
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.conf:9:Le_RealFullChainPath="/etc/pve/local/pveproxy-ssl.pem"
[Mo 25. Apr 07:56:30 CEST 2016] Standalone mode.
[Mo 25. Apr 07:56:30 CEST 2016] /root/.acme.sh/www.domain.de /www.domain.de.conf:10:Le_HTTPPort=80
[Mo 25. Apr 07:56:30 CEST 2016] Using: ss
[Mo 25. Apr 07:56:30 CEST 2016] Only RSA or EC key is supported.
 
Last edited:
is either your account ("/etc/pve/.le/account.key") or your domain key ("/root/.acme.sh/www.domain.de/www.domain.de.key") empty or broken? did a previous run of acme.sh exit with errors?
 
Yea, the account.key in "/etc/pve/.le/account.key" is empty, but acme never exited with an error

Edit:

Ahh, deleting the empty account.key and running the install script again solved the problem.
Thank you
 
After renewal: I open browser I get SSL error/mismatch, which says that certificate is issued for mydomain.com but I'm trying to reach mydomain-pve1.mydomain.com. Can I add domain argument in cron job or set default cert. for pveproxy that will point to subdomain mydomain-pve1.mydomain.com and not mydomain.com when I run renewal ?

[jul 13 18:59:01 CEST 2016] Renew: mydomain-pve1.mydomain.com
[jul 13 18:59:01 CEST 2016] Skip, Next renewal time is: sep 29 05:44:25 UTC 2016
[jul 13 18:59:01 CEST 2016] Skipped mydomain-pve1.mydomain.com
[jul 13 18:59:01 CEST 2016] Renew: mydomain.com
[jul 13 18:59:01 CEST 2016] Skip, Next renewal time is: sep 29 05:44:43 UTC 2016
[jul 13 18:59:01 CEST 2016] Skipped mydomain.com

 
If you follow the instructions, you will get a certificate that works - not sure what you did.. you can always delete the existing files and start from scratch..
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!