[SOLVED] Proxmox cluster migration to LetsEncrypt certificate

S

showiproute

Renowned Member
Mar 11, 2020
662
46
68
36
Austria
Hello there,

I have a two node cluster with a QDevice on which my 2nd node also is running PBS.
Recently I have been thinking about using a LetsEncrypt certificate for my cluster insteady of the pre generated one but I am unsure if this would kind of "destroy" any trust relationship within the cluster or my QDevice.

Can someone shine a little light on this topic?
 
By default, the QDevice net daemon uses a dedicated TLS certificate, so switching the PBS or the PVE nodes to ACME/Let's Encrypt will not affect the QDevice setup at all, at least as long as you did not manually put the QDevice Net service behind a reverse proxy or the like that shares the TLS certificate with the PBS.
 
  • Like
Reactions: Wichets and showiproute
t.lamprecht said:
By default, the QDevice net daemon uses a dedicated TLS certificate, so switching the PBS or the PVE nodes to ACME/Let's Encrypt will not affect the QDevice setup at all, at least as long as you did not manually put the QDevice Net service behind a reverse proxy or the like that shares the TLS certificate with the PBS.
Click to expand...
Servus @t.lamprecht ,

thanks - I will give it a try.
 
Additional information: If you already had an existing Proxmox Backup Server (PBS) with a manual fingerprint of the TLS certificate you need to edit as well.
 
showiproute said:
Additional information: If you already had an existing Proxmox Backup Server (PBS) with a manual fingerprint of the TLS certificate you need to edit as well.
Click to expand...
Or you can drop the fingerprint once you switch to a cert that is trusted by the client's system trust store, which Let's Encrypt provided certs are for Proxmox VE – and basically all other somewhat modern system. As otherwise, you would need to update that every few weeks with each renewed TLS cert.
showiproute said:
Additional you also need to do that on a local PBS as well if you change the certificate on a remote
Click to expand...
Same here, you could just delete the fingerprint now, the trust anchor then is whatever you use as ACME challenge to get the TLS cert, but it basically always boils down to DNS, which is often a trust anchor already anyway.
 
This is what I did: I changed from internal to external domain name which is using the Lets Encrypt certificates and removed the whole fingerprint line.
Now everything works as expected.
 
  • Like
Reactions: t.lamprecht
You must log in or register to reply here.
Top Bottom