Proxmox 5 - pve-daily-update.service - edit cronjob

[Marcel40625]

Hey Guys/Girls,

About my Setup:
I have setup a Proxmox Host on a Kimsufi.com (only 1 IP) Server. The server is for a little nextcloud installation and another Webserver.

About the Problem:
I have setup via the Proxmox WebGUI, SSL with LetsEncrypt, this works fine no problems here, but after i installed the VM´s for the Webserver and sended Port 80 and 443 via IPtables to a VM with a reverseProxy, i had a problem.

Everytime my Host tries to renew the Certificate for the WebGUI it fails because Port 80 is not listening on the Mainmachine anymore.

Question:
Is there any way to edit the Cronjob "pve-daily-update.service" that it flushes shortly the IPtables rules, renew the Certificate and loads back IPtables rules?

 

[Marcel40625]

Noone an idea how and where to edit the cron? :/

 

[dcsapak]

pve-daily-update.service is not a cronjob but a systemd-timer

you can override some things with

systemctl edit pve-daily-update.service

please see the systemd manual for details

 

[Marcel40625]

Thx but the problem is, the file is empty ... i found the "pve-daily-update.service" hint in the Wiki but dont find the script that is controlling the Cert renewal

https://pve.proxmox.com/wiki/Certificate_Management

 

[dcsapak]

with the 'systemctl edit' it creates a new override file which of course is empty (but will not get overwritten when our packages are udpated)
please read the systemd documentation about units/services/timers/overrides/etc.

the script actually renewing is /usr/bin/pveupdate but this will also get overwritten on every package update should you modify it

 

[serafin.rusu]

I extracted from pveupdate the acme update section. You can put the following script in /etc/cron.weekly:

#!/usr/bin/perl

use strict;
use warnings;

use IO::File;
use File::Find;
use File::stat;

use PVE::CertHelpers;
use PVE::Certificate;
use PVE::NodeConfig;
use PVE::INotify;
use PVE::Cluster;
use PVE::APLInfo;
use PVE::SafeSyslog;
use PVE::RPCEnvironment;
use PVE::API2::Subscription;
use PVE::API2::APT;
use PVE::API2::ACME;

initlog ('acme-update', 'daemon');

die "please run as root\n" if $> != 0;

$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';

PVE::INotify::inotify_init();

my $rpcenv = PVE::RPCEnvironment->init('cli');

$rpcenv->init_request();
$rpcenv->set_language($ENV{LANG});
$rpcenv->set_user('root@pam');

my $nodename = PVE::INotify::nodename();

eval {

    my $node_config = PVE::NodeConfig::load_config($nodename);
    if ($node_config && $node_config->{acme}) {
        my $cert = PVE::CertHelpers::cert_path_prefix($nodename).".pem";
        if (-e $cert) {
            if (PVE::Certificate::check_expiry($cert, time() + 30*24*60*60)) {
                my $r=`iptables -t nat -D PREROUTING -d 1.1.1.1/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 1.1.2.2:80`;
                PVE::API2::ACME->renew_certificate({ node => $nodename });
                $r=`iptables -t nat -I PREROUTING -d 1.1.1.1/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 1.1.2.2:80`;
            } else {
                syslog ('info', 'Custom certificate does not expire soon, skipping ACME renewal.');
            }
        } else {
            syslog ('info', 'ACME config found for node, but no custom certificate exists. Skipping ACME renewal until initial certificate has been deployed.');
        }
    }
};
syslog ('err', "Renewing ACME certificate failed: $@") if $@;

exit (0);