HostOnNet Blog

Install LetsEncrypt SSL on Proxmox Node

Looking for Linux Server Admin or WordPress Expert? We can help.

To install LetsEncrypt SSL certificate for Proxmox VE Server, first install certbot-auto, this is a command line tool to generate/renew LetsEncrypt SSL certificate.

cd /usr/local/sbin
wget https://dl.eff.org/certbot-auto
chmod a+x /usr/local/sbin/certbot-auto

Now run certbot-auto, when you run first time, it will download some required packages and install it.

certbot-auto --help

I am going to install SSL for server with hostname server18.hostonnet.com, do generate SSL certificate, run

certbot-auto certonly -d server18.hostonnet.com

This will ask your email address. Since Proxmox VE server have no apache running, select option to start a temportary web server for SSL verification.

When SSL created, you see a confirmation like

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem. Your
cert will expire on 2017-03-03. To obtain a new or tweaked version
of this certificate in the future, simply run certbot-auto again.
To non-interactively renew *all* of your certificates, run
“certbot-auto renew”
– If you lose your account credentials, you can recover through
e-mails sent to [email protected].
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

root@server18:~#

To replace Proxmox SSL certificate with this SSL cert, run following commands

rm -rf /etc/pve/local/pve-ssl.pem  
rm -rf /etc/pve/local/pve-ssl.key  
rm -rf /etc/pve/pve-root-ca.pem  
cp /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem  /etc/pve/local/pve-ssl.pem  
cp /etc/letsencrypt/live/server18.hostonnet.com/privkey.pem /etc/pve/local/pve-ssl.key  
cp /etc/letsencrypt/live/server18.hostonnet.com/chain.pem /etc/pve/pve-root-ca.pem  
service pveproxy restart
service pvedaemon restart

LetsEncrypt SSL expire every 90 days, so we will renew it every month with a cronjob. For this, create a file

vi /root/ssh-renew.sh

with following code in it


/usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
rm -rf /etc/pve/local/pve-ssl.pem  
rm -rf /etc/pve/local/pve-ssl.key  
rm -rf /etc/pve/pve-root-ca.pem  
cp /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem  /etc/pve/local/pve-ssl.pem  
cp /etc/letsencrypt/live/server18.hostonnet.com/privkey.pem /etc/pve/local/pve-ssl.key  
cp /etc/letsencrypt/live/server18.hostonnet.com/chain.pem /etc/pve/pve-root-ca.pem  
service pveproxy restart
service pvedaemon restart

Make it executable

chmod 755 /root/ssh-renew.sh

We need to run this command every 30 days, so add following to cronjob.

crontab -e

Add

@monthly /root/ssl-renew.sh

Back to LetsEncrypt

Posted in Virtualization

8 Responses to Install LetsEncrypt SSL on Proxmox Node

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.