Upload custom cert via Proxmox API?


New Member
May 25, 2020
I have pre-existing infrastructure which registers and updates TLS certificates for organization's sites via Lets Encrypt. I'd like to use this infrastructure to automatically push a new certificate to my various Proxmox VE nodes via the Proxmox API (https://pve.proxmox.com/pve-docs/api-viewer/index.html).

I would rather not set up ACME registration on each Proxmox VE node to handle their own certs.

Is it possible to push new custom certs to each Proxmox node as opposed to having to copy certificates to each machine manually and running various shell commands like in https://pve.proxmox.com/wiki/Certificate_Management? Is this possible? Any help greatly appreciated. Thanks!

You could use the API path that's also used by the Proxmox VE web-interface (Node -> Certificates -> Upload Custom Certificate):

Youre absolutely right, and I hadn't noticed that API endpoint until now.

I've made some rudimentary Python code to post TLS certificates to Proxmox VE nodes that I've posted at https://github.com/jforman/proxmox_certupdater. I'll be adding more to it to make it a bit more useful, but if others find it, happy to accept PRs and make it more useful.

I worked on this today. When I read the API documentation it doesn't feel like its telling 100% of the story so I wound up monitoring network traffic while using the browser and saw what this curl command produces.

curl -v -k -X POST ${TF_VAR_proxmox_url}/nodes/proxmox/certificates/custom \
    -H "Authorization: PVEAPIToken=${TF_VAR_proxmox_user}=${TF_VAR_proxmox_token}" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    --data-urlencode "key=${cat_of_privkey}" \
    --data-urlencode "restart=1" \
    --data-urlencode "force=1" \
    --data-urlencode "certificates=${cat_of_fullchain}"

I tried a lot of other clearner ways, but was seeing errors like `{"errors":{"certificates":"invalid format - not a valid PEM-formatted string.\n"},"data":null}` and `upload 'Content-Type 'multipart/form-data; boundary=------------------------' not implemented`.

Hope this helps anyone else trying to update certs via the rest API.


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!