Upload custom cert via Proxmox API?

J

jforman

New Member
May 25, 2020
14
0
1
45
I have pre-existing infrastructure which registers and updates TLS certificates for organization's sites via Lets Encrypt. I'd like to use this infrastructure to automatically push a new certificate to my various Proxmox VE nodes via the Proxmox API (https://pve.proxmox.com/pve-docs/api-viewer/index.html).

I would rather not set up ACME registration on each Proxmox VE node to handle their own certs.

Is it possible to push new custom certs to each Proxmox node as opposed to having to copy certificates to each machine manually and running various shell commands like in https://pve.proxmox.com/wiki/Certificate_Management? Is this possible? Any help greatly appreciated. Thanks!
 
t.lamprecht said:
Hi,

You could use the API path that's also used by the Proxmox VE web-interface (Node -> Certificates -> Upload Custom Certificate):
/nodes/${nodename}/certificates/custom

https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/certificates/custom
Click to expand...
Youre absolutely right, and I hadn't noticed that API endpoint until now.

I've made some rudimentary Python code to post TLS certificates to Proxmox VE nodes that I've posted at https://github.com/jforman/proxmox_certupdater. I'll be adding more to it to make it a bit more useful, but if others find it, happy to accept PRs and make it more useful.

Thanks!
 
I worked on this today. When I read the API documentation it doesn't feel like its telling 100% of the story so I wound up monitoring network traffic while using the browser and saw what this curl command produces.

Bash: 
curl -v -k -X POST ${TF_VAR_proxmox_url}/nodes/proxmox/certificates/custom \
    -H "Authorization: PVEAPIToken=${TF_VAR_proxmox_user}=${TF_VAR_proxmox_token}" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    --data-urlencode "key=${cat_of_privkey}" \
    --data-urlencode "restart=1" \
    --data-urlencode "force=1" \
    --data-urlencode "certificates=${cat_of_fullchain}"

I tried a lot of other clearner ways, but was seeing errors like `{"errors":{"certificates":"invalid format - not a valid PEM-formatted string.\n"},"data":null}` and `upload 'Content-Type 'multipart/form-data; boundary=------------------------' not implemented`.

Hope this helps anyone else trying to update certs via the rest API.
 
  • Like
Reactions: Wichets, user973249 and dooferorg
I know that this is quite old, but it seems to be what I am searching for - so sorry for reviving this old thread.
As I want to use a wildcard certificate for a provider, that doesn't offer DNS-API I need to run certbot with "renew" from cron on my pve node and from there push it to my webservers. But unfortunately I didn't find a automated method yet to use the certificate (which is thus locally available) on the pve node itself.
Would it make sense to call the REST-API from the proxmox node itself or are there other easier methods to update the certificate periodically in a manual manner?
 
Last edited:
user973249 said:
Would it make sense to call the REST-API from the proxmox node itself or are there other easier methods to update the certificate periodically in a manual manner?
Click to expand...
I would call the REST-API via curl or pvesh ( https://pve.proxmox.com/pve-docs/pvesh.1.html ) and execute that command via a systemd timer:
https://manpages.debian.org/testing/systemd/systemd.timer.5.en.html
https://manpages.debian.org/testing/systemd/systemd.service.5.en.html
https://wiki.archlinux.org/title/Systemd/Timers
 
  • Like
Reactions: user973249
Thanks.
After using the right search terms it seems there is /was? some easier method than creating a token and issuing the REST command from the node itself (1 step less):
pvenode cert set <cert> [<key>] [--force] [--restart]
Found via https://deepwiki.com/proxmox/pve-docs/7.3-certificate-management. I will try if this is still valid, cannot find any documentation on that for 9.x

Edit: it works perfectly well. Question is, why this is not reflected in official documentation?
 
Last edited:
You must log in or register to reply here.
Top Bottom
Back