Partly covered from german howto
https://www.deimeke.net/dirk/blog/index.php?/plugin/tag/letsencrypt
The installation is needed on one cluster-node only - in this example the nodes are pve-a, pve-b and pve-c.example.com .
The first nodes is reachable as 192.168.200.11
The DNS/Firewall must be configured, that pve.example.com, pve-a.example.com, pve-b.exapmle.com and pve-c.example.com are directed to the proxy-server with haproxy (cnames for dns).
Important 1! If you allready used letsencrypt with the "default" method it's very important to use the account.key from /etc/pve/.le/
Otherwise you are not able to get certificates with the same name as allready used!
Important 2!
run an backup of /etc/pve, like:
Code:
tar cvf /root/etc_pve.tar /etc/pve/
Preparations
Code:
# not nesseary if /etc/pve/.le/account.key excist!
mkdir /etc/pve/.le/
openssl genrsa 4096 > /etc/pve/.le/letsencrypt-pve.key
If you used letsencryt before, disable/delete the cronjob (crontab -e) about /root/.acme.sh !
To be sure, move the dir:
Code:
mv /root/.acme.sh /root/.acme.sh.old
Install needed tools:
Code:
apt install libssl-dev gcc unzip make
get AcmeFetch and install
Code:
# download the latest version https://github.com/oetiker/AcmeFetch/releases/latest
wget https://github.com/oetiker/AcmeFetch/releases/download/v0.5.0/acmefetch-0.5.0.tar.gz
tar xvzf acmefetch-0.5.0.tar.gz
cd acmefetch-0.5.0/
./configure --prefix=/opt/acmefetch
/usr/bin/make install
for security remove gcc+make again
steps for temporary webserver
Code:
mkdir -p /opt/acmefetch/www/.well-known/acme-challenge
cat > /opt/acmefetch/www/index.html << EOF
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">
<title>temporary website</title>
<meta content="Author" name="pve"></head>
<body>Hello.<br>
The python httpd server is working.<br>
and waiting for letsencrypt<br>
</body></html>
EOF
create script to create/renew cert:
Code:
cat > /usr/local/sbin/le_cert_renew.sh << EOF
#!/bin/bash
#
# le_cert_renew.sh renew certificates if nessesary
# (ul) 20161029 first version
# start simple http-server
cd /opt/acmefetch/www
python3 -m http.server 8080&
http_pid=\$(ps aux | grep "python3 -m http.server 8080" | grep -v grep | awk '{ print \$2 }')
/opt/acmefetch/bin/acmefetch --cfg=/opt/acmefetch/etc/acmefetch.cfg
# stop http-server
kill \$http_pid
# at the first run pveproxy-ssl.key don't excist
if [[ ! -e /etc/pve/local/pveproxy-ssl.key ]]
then
touch /etc/pve/local/pveproxy-ssl.key
fi
if [[ \$(diff -q /etc/ssl/private/pveproxy-ssl.key /etc/pve/local/pveproxy-ssl.key) ]]
then
nodes=\$(ls /etc/pve/nodes)
for i in \$nodes
do
cp -p /etc/ssl/private/pveproxy-ssl.key /etc/pve/nodes/\$i/
cat /etc/ssl/certs/pveproxy-ssl.pem > /etc/pve/nodes/\$i/pveproxy-ssl.pem
cat /etc/ssl/certs/pveproxy-ssl-chain.pem >> /etc/pve/nodes/\$i/pveproxy-ssl.pem
ssh \$i service pveproxy restart
done
fi
EOF
chmod +x /usr/local/sbin/le_cert_renew.sh
create and modify acmefetch config to fit for your systems (accountKeyPath + commonName + sites)
- the forum eat spaces, which are important for the config-file.
create the file first and after that edit the file for the right values:
Code:
cat /opt/acmefetch/etc/acmefetch.cfg
{
"GENERAL": {
"ACMEstaging": "acme-staging.api.letsencrypt.org",
"ACMEservice": "acme-v01.api.letsencrypt.org",
"accountKeyPath": "/etc/pve/.le/account.key"
},
"CERTS": [
{
"certOutput": "/etc/ssl/certs/pveproxy-ssl.pem",
"certFormat": "PEM",
"keyOutput": "/etc/ssl/private/pveproxy-ssl.key",
"keyFormat": "PEM",
"chainOutput": "/etc/ssl/certs/pveproxy-ssl-chain.pem",
"chainFormat": "PEM",
"commonName": "pve.example.com",
"SITES": {
"pve.example.com": {
"challengeHandler": "LocalFile",
"challengeConfig": {
"www_root": "/opt/acmefetch/www/",
}
},
"pve-a.example.com": {
"challengeHandler": "LocalFile",
"challengeConfig": {
"www_root": "/opt/acmefetch/www/",
}
},
"pve-b.example.com": {
"challengeHandler": "LocalFile",
"challengeConfig": {
"www_root": "/opt/acmefetch/www/",
}
},
"pve-c.example.com": {
"challengeHandler": "LocalFile",
"challengeConfig": {
"www_root": "/opt/acmefetch/www/",
}
},
}
}
]
}
extend HAproxy config on your haproxy-server - first the part for LetsEncrypt:
Code:
frontend http_frontend
bind *:80
mode http
acl acl_pve hdr(host) -i pve.example.com
acl acl_pve hdr(host) -i pve-a.example.com
acl acl_pve hdr(host) -i pve-b.example.com
acl acl_pve hdr(host) -i pve-c.example.com
use_backend pve-http if acl_pve
backend pve-http
mode http
server pve 192.168.200.11:8080
On the first node start the webserver to control the external access
Code:
cd /opt/acmefetch/www
python3 -m http.server 8080
from external must be following appear in an browser with pve.example.com, pve-a.example.com and so on:
Code:
Hello.
The python httpd server is working.
and waiting for letsencrypt
If all right stop the web-server with <cntl>-C
Lets start
Code:
/usr/local/sbin/le_cert_renew.sh