Let’s Encrypt with Proxmox VE

Proxmox could use a certbot (https://certbot.eff.org/);)

acme.sh is much much smaller and simpler to use IMHO. but if you want, you can use certificates by any other CA, or certificates from Let's Encrypt which you retrieved manually or with another client (such as certbot) - just make sure to put the certificate chain and key into the correct place, and restart pveproxy afterwards - as described in the HowTo in the wiki.
 
I guess with proxmox hosts behind firewall and private ip space, letsencrypt does not work. Am I right? So if i have host.internal.domain with 10.x.x.x, is there a best practice to get a proxmox cluster working with lets encrypt behind firewall?
 
I guess with proxmox hosts behind firewall and private ip space, letsencrypt does not work. Am I right? So if i have host.internal.domain with 10.x.x.x, is there a best practice to get a proxmox cluster working with lets encrypt behind firewall?
Hi,
it's work with port-forwarding (if you have enough IPs for all hosts), but you can also use an proxy for that (only one IP needed). I use haproxy for this.

Udo
 
Hi, thx.

You have to have Split DNS though, I guess? So if i have host pve01.company.domain pointing to 10.x.x.x on our external dns which is never resolvable, it won´t work, right? Or are you issuing the same cert to all hosts in the cluster? E.g. do you define for instance proxmox.company.domain to official ip and let every proxmox host use the same hostname for the certificate?

Thx
 
Cool I just saw that acme.sh will support dns-01 mode which doesnt rely on port 80. Will try and report back!
 
Hi, thx.

You have to have Split DNS though, I guess? So if i have host pve01.company.domain pointing to 10.x.x.x on our external dns which is never resolvable, it won´t work, right? Or are you issuing the same cert to all hosts in the cluster? E.g. do you define for instance proxmox.company.domain to official ip and let every proxmox host use the same hostname for the certificate?

Thx
Hi,
i use letsencrypt with an own script - slightly different to the pve-wiki-version.
All node-hostnames (plus one clusteraddress) are cnames to the haproxy on the external DNS - like:
Code:
pve.domain.org IN CNAME proxy.domain.org.
pve-a.domain.org IN CNAME proxy.domain.org.
pve-b.domain.org IN CNAME proxy.domain.org.
pve-c.domain.org IN CNAME proxy.domain.org.
the haproxy forward all http-request for this adresses to the first pve-node.
The script on this node build one certificate, with all adresses included (this is different to the normal pve-way).

So all cluster-nodes use the same certificate - and I can access pve.domain.org:8006 (internaly or externaly) via haproxy and the target is one of the nodes - and all have an valid certificate - equal if pve-a or pve-c is the target.

Udo
 
Cool I just saw that acme.sh will support dns-01 mode which doesnt rely on port 80. Will try and report back!

just be aware that certificates need to be renewed every X weeks - you really want to automate the renewal and re-deployment
 
Yes, acme.sh supports route53 or other dns providers which provides fully automated renewal by creating txt records automatically
 
I enabled ssl with Certbot for my website, it was not that straightforward. Would it be better to use this solution? Why? How?
 
I'm having problems renewing my certificate with acme.sh ...

I get a 400 bad request when the verification should happen.

I have no firewall running, so the port shouldn't be blocked.

Anyone else having problems?
 
U
Hi,
i use letsencrypt with an own script - slightly different to the pve-wiki-version.
All node-hostnames (plus one clusteraddress) are cnames to the haproxy on the external DNS - like:
Code:
pve.domain.org IN CNAME proxy.domain.org.
pve-a.domain.org IN CNAME proxy.domain.org.
pve-b.domain.org IN CNAME proxy.domain.org.
pve-c.domain.org IN CNAME proxy.domain.org.
the haproxy forward all http-request for this adresses to the first pve-node.
The script on this node build one certificate, with all adresses included (this is different to the normal pve-way).

So all cluster-nodes use the same certificate - and I can access pve.domain.org:8006 (internaly or externaly) via haproxy and the target is one of the nodes - and all have an valid certificate - equal if pve-a or pve-c is the target.

Udo
Udo, would you mind sharing the script?
 
U

Udo, would you mind sharing the script?
Hi,
yes of course
Code:
#!/bin/bash
#
# le_cert_renew.sh renew certificates if nessesary
# (ul) 20161029 first version

# start simple http-server
cd /opt/acmefetch/www
python3 -m http.server 8080&
http_pid=\$(ps aux | grep "python3 -m http.server 8080" | grep -v grep | awk '{ print \$2 }')


/opt/acmefetch/bin/acmefetch --cfg=/opt/acmefetch/etc/acmefetch.cfg

# stop http-server
kill \$http_pid

# at the first run pveproxy-ssl.key don't excist
if [[ ! -e /etc/pve/local/pveproxy-ssl.key ]]
then
  touch /etc/pve/local/pveproxy-ssl.key
fi

if [[ \$(diff -q /etc/ssl/private/pveproxy-ssl.key /etc/pve/local/pveproxy-ssl.key) ]]
 then
   nodes=\$(ls /etc/pve/nodes)
   for i in \$nodes
    do
     [[ -e /etc/ssl/private/pveproxy-ssl.key ]] && cp -p /etc/ssl/private/pveproxy-ssl.key /etc/pve/nodes/\$i/
     [[ -e /etc/ssl/certs/pveproxy-ssl.pem ]] && cat /etc/ssl/certs/pveproxy-ssl.pem > /etc/pve/nodes/\$i/pveproxy-ssl.pem
     [[ -e /etc/ssl/certs/pveproxy-ssl-chain.pem ]] && cat /etc/ssl/certs/pveproxy-ssl-chain.pem >> /etc/pve/nodes/\$i/pveproxy-ssl.pem
     ssh \$i service pveproxy restart
   done
fi
This script based on acmefetch from Tobi Oetiker (download the latest version https://github.com/oetiker/AcmeFetch/releases/latest)

Udo
 
  • Like
Reactions: Joe Baker
I have let's encrypt working (home server with DDNS) but my acme.sh script is putting the certificate in the Wordpress directory.

I don't know how or where to put the key so the console will work on an iPad (safari)


Currently,

* PVE manager comes up properly with a secure lock icon https://mydomain.com:8006 works
* any attempt to use a no vnc console says "failed to connect to server"
* no vnc works OK from a computer running chrome inside the network after accepting a self signed cert. iPad or iPhone, no workee.
* the cert script is running in a container inside proxmox. TBH, I don't know how to move it securely and to have that recur.
 
Last edited:
@hello

ofc its not working. novnc is just a vnc client that need to connect to the vnc port

that said.
using letsencrypt makes no that much sense except you have customer wanna access your host.
it wont anything to security, in contrary a privatly signed cert if done right is always more secure than a public cert, its just not authenticated to the public.
but if you can prevent it never access the host from the internet
 
Hi!
I want to use my CAs created with Certbot for Let's Encrypt.
The PVE server is not accessible from internet but locally only.

I followed the instructions in Wiki to copy the LE certificates (fullchain.pem and privkey.pem) to the target directory /etc/pve/nodes/<node>/:
mv fullchain.pem /etc/pve/nodes/<node>/pveproxy-ssl.pem
mv privkey.pem /etc/pve/nodes/<node>/pveproxy-ssl.key


After restarting service pveproxy there's no error reported:
Dez 29 18:02:28 pc4-svp systemd[1]: Stopped PVE API Proxy Server.
Dez 29 18:02:28 pc4-svp systemd[1]: Starting PVE API Proxy Server...
Dez 29 18:02:29 pc4-svp pveproxy[30298]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interf
Dez 29 18:02:29 pc4-svp pveproxy[30319]: starting server
Dez 29 18:02:29 pc4-svp pveproxy[30319]: starting 3 worker(s)
Dez 29 18:02:29 pc4-svp pveproxy[30319]: worker 30320 started
Dez 29 18:02:29 pc4-svp pveproxy[30319]: worker 30321 started
Dez 29 18:02:29 pc4-svp pveproxy[30319]: worker 30322 started
Dez 29 18:02:29 pc4-svp systemd[1]: Started PVE API Proxy Server.


However, when I open the WebUI using this URL https://<PVE-hostname>:8006/ I still get this warning in browser (e.g. Firefox): Connection is not secured

How can I secure the connection?

THX
 

Attachments

  • pc4-svp - Proxmox Virtual Environment - Mozilla Firefox_001.png
    pc4-svp - Proxmox Virtual Environment - Mozilla Firefox_001.png
    11.9 KB · Views: 18
Change suggestions for the wiki instructions after following them on a fresh PVE 5.3 install:

1) Install acme.sh: neither git nor unzip are installed by default, so a better one-liner that works to download and extract the archive is:
Code:
wget github.com/Neilpang/acme.sh/archive/master.tar.gz -O - | tar xz
5) Issue your first certificate:
  • mention the recently added support for wildcard certs (use -d *.domain to enable it)
  • mention ECDSA cert support (add --keylength ec-{256,384})
Updating acmesh: mention auto-upgrade support
Code:
acme.sh --upgrade --auto-upgrade
(parameter is set in /etc/pve/.le/account.conf)

I wanted to edit the wiki to add them myself, but that's when I realized it wasn't open to registration (which is a good thing actually ;))

Thanks

PS: I had included links to the sources of the changes I mention (wildcart cert, ECDSA and auto-upgrade support) but as I just registered I'm not authorized to post external links. So here they go in "obfuscated" form (no https and no embedded link is enough it seems):

community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579
github.com/Neilpang/acme.sh#10-issue-wildcard-certificates
github.com/Neilpang/acme.sh#9-issue-ecc-certificates
github.com/Neilpang/acme.sh#13-how-to-upgrade-acme.sh
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!