Let’s Encrypt with Proxmox VE
- Thread starter martin
- Start date
enabling "Let's Encrypt" mode for a node, and reverting back to self signed (at least).
Hello,
We have HA confgured between 2 nodes in proxmox 4.2 but issue came node reload which containf Vm and another node is up.
When we change node to node 2. node 2 started reloading and bode 1 is up
please help on that
-Aniket
We have HA confgured between 2 nodes in proxmox 4.2 but issue came node reload which containf Vm and another node is up.
When we change node to node 2. node 2 started reloading and bode 1 is up
please help on that
-Aniket
This is how I did it on four nodes:
https://blog.k0nsl.org/2016/09/01/lets-encrypt-tls-ssl-for-proxmox-ve/
Best wishes,
-k0nsl
https://blog.k0nsl.org/2016/09/01/lets-encrypt-tls-ssl-for-proxmox-ve/
Best wishes,
-k0nsl
please don't post wrong information on the internet
there is a documented way to get Proxmox to use third party certificates for the web interface, including ones issued by Let's Encrypt: https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer)just replacing the self-signed certificates creates problems - for example, adding new nodes and spice are broken.
I see. Thank you for correcting me. I had only tried this on separate nodes and that works fine and doesn't break anything — it hasn't for me, anyway.
I'll try follow the guide on the Proxmox VE Wiki next time.
[EDIT: I've added a small note in the blog post about what you wrote, Fabian.]
Thanks.
-k0nsl
I'll try follow the guide on the Proxmox VE Wiki next time.
[EDIT: I've added a small note in the blog post about what you wrote, Fabian.]
Thanks.
-k0nsl
please don't post wrong information on the internet
just replacing the self-signed certificates creates problems - for example, adding new nodes and spice are broken.
Last edited:
Hi there, i've successfully update a certificate for one server, but for another one it updates but it seems not recognized by the proxmox proxy.
The issuing of the certifiacte went fine.
this is the log,
Sep 27 10:25:51 XXXXXXX systemd[1]: Starting PVE API Proxy Server...
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: starting server
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: starting 3 worker(s)
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: worker 6217 started
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: worker 6218 started
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: worker 6219 started
Sep 27 10:25:51 XXXXXXX systemd[1]: Started PVE API Proxy Server.
and there's no sign that it's using the certificate, in fact it does not work.
the only difference between the two server is the version. the one not working conrrectly is: pve-manager/4.1-5/f910ef5c (running kernel: 4.2.6-1-pve)
any idea if there's something more to set in order to let the proxy recognize the certificate?
The issuing of the certifiacte went fine.
this is the log,
Sep 27 10:25:51 XXXXXXX systemd[1]: Starting PVE API Proxy Server...
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: starting server
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: starting 3 worker(s)
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: worker 6217 started
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: worker 6218 started
Sep 27 10:25:51 XXXXXXX pveproxy[6216]: worker 6219 started
Sep 27 10:25:51 XXXXXXX systemd[1]: Started PVE API Proxy Server.
and there's no sign that it's using the certificate, in fact it does not work.
the only difference between the two server is the version. the one not working conrrectly is: pve-manager/4.1-5/f910ef5c (running kernel: 4.2.6-1-pve)
any idea if there's something more to set in order to let the proxy recognize the certificate?
I've successfully followed the instructions and am happily using my letsencrypt certificate but I have a few questions left:
- how come authentication via port 80 worked? I am not blocking it but neither was I aware there was anything running as proxmox is running on port 8006 so how does this work?
- can someone look at the cron job given in the wiki? That looks very dodgy to me, feels like a few too many "s are in there. Original:
works for me:
- how come authentication via port 80 worked? I am not blocking it but neither was I aware there was anything running as proxmox is running on port 8006 so how does this work?
- can someone look at the cron job given in the wiki? That looks very dodgy to me, feels like a few too many "s are in there. Original:
Code:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
Code:
0 0 * * * /root/.acme.sh/acme.sh --cron --home /root/.acme.sh > /dev/nulllike udo said - acme.sh temporarily runs a small webserver (it's actually just netcat
) to do the verification, at least when called in standalone mode.the quotes are there for the usual reason - mainly to escape whitespace in paths. it's perfectly okay to mix quoted and unquoted strings like that - acme.sh knows that its script has a file name without spaces, so it only escapes the rest of the path (which is user-controlled).
thanks @fabian, the point is that beneath that, it said to test and that didn't work so I changed my cronjob. Does this work for you?
Code:
It's a good idea to test the cron entry by running it manually from the command line to check that it's working OK:
"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"@fabian : sorry, the mistake was sitting in front of the PC this time :-(
I assumed the outer "" were part of the quote so I tried:
I just realized it actually works exactly as suggested in the wiki.
Sorry for the fuss, just wanted to make sure the wiki is correct.
I assumed the outer "" were part of the quote so I tried:
Code:
/root/.acme.sh"/acme.sh --cron --home "/root/.acme.shSorry for the fuss, just wanted to make sure the wiki is correct.
I have followed the steps in the guide (https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer)#Prerequisites) I have gotten to step 5. where it say to exicute acme.sh --issue --standalone --keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy" -d $DOMAIN and it says
Does anyone know who to resolve this?[Tue Feb 21 00:06:40 EST 2017] Standalone mode.
[Tue Feb 21 00:06:40 EST 2017] LISTEN 0 128 :::80 :::* users
[Tue Feb 21 00:06:40 EST 2017] tcp port 80 is already used by 80
[Tue Feb 21 00:06:40 EST 2017] Please stop it first
[Tue Feb 21 00:06:40 EST 2017] _on_before_issue.
Hi,
you have allready an program running, which bind port 80.
Look with
Code:
ss -patn | grep 80Udo