Question re: Understanding Certificates

SInisterPisces

SInisterPisces

Active Member
Proxmox Subscriber
Sep 1, 2022
314
72
33
41
Hello!

After setting up a Cloudflare API-baesd custom certificate for the domain pve.myhost.com, everything works, and my certificate list looks like this.

The one at the bottom is the custom ceriticate I created.

What are the first two? Does it create problems to leave them there? The second one in particular has a ton of Alternate Names listed, including an IP address. Putting aside for a moment the fact that I didn't know you could list an IP address on a certificate like this--I don't think Cloudflare's API lets you do that--it's also listing an IP that isn't in use with the PVE server anymore, as well as pve without the .myhost.com. It also lists pve.myhost.local, which isn't even a valid TLD in my LAN anymore.

  1. I think the second one is just Proxmox's default self-signed certificate? No action needed?
  2. But, I have no idea what's going on with the second one and if I need to do anything to clean it up.
  3. Also, is it possible to actually have a Let's Encrypt-issued certificate for pve without myhost.com? Can I list pve or just the IP as an alternate name when I'm using the Cloudflare API to get the Let's Encrypt cert? Will Cloudflare's API even let me do that?

Thanks for any advice. :)

1745276602038.png
 
  • Like
Reactions: Johannes S
publicly trusted certificates like those from Let's Encrypt can only contain valid FQDNs as SAN (at the moment - LE is working on adding IP SANs as well ;)). self-signed certificates can contain whatever, basically. you can regenerate the self-signed one ("pvecm updatecerts -f"), but if you have a custom cert, it's not used for much in any case (IIRC only SPICE?)
 
fabian said:
publicly trusted certificates like those from Let's Encrypt can only contain valid FQDNs as SAN (at the moment - LE is working on adding IP SANs as well ;)). self-signed certificates can contain whatever, basically. you can regenerate the self-signed one ("pvecm updatecerts -f"), but if you have a custom cert, it's not used for much in any case (IIRC only SPICE?)
Click to expand...

Thanks for confirming that, @fabian . I wasn't sure, but based on having to own an actual real FQDN to use the API, I figured that was the case. Nice to know they're working on IP SAN as well.

Just to confirm, it won't interfere with my custom cert to regenerate the self-signed one? It's not causing any problems as-is, but it would certainly make the display less confusing if I could get the old in-LAN domain and old IP address that no longer work out of there.
 
no, the two certs are independent, pveproxy will prefer the custom one if it exists and regenerating the self-signed one doesn't touch the custom one.
 
You must log in or register to reply here.
Top Bottom