HostOnNet Blog

Install LetsEncrypt SSL on Proxmox Node

To install LetsEncrypt SSL certificate for Proxmox VE Server, first install certbot-auto, this is a command line tool to generate/renew LetsEncrypt SSL certificate.

cd /usr/local/sbin
wget https://dl.eff.org/certbot-auto
chmod a+x /usr/local/sbin/certbot-auto

Now run certbot-auto, when you run first time, it will download some required packages and install it.

certbot-auto --help

I am going to install SSL for server with hostname server18.hostonnet.com, do generate SSL certificate, run

certbot-auto certonly -d server18.hostonnet.com

This will ask your email address. Since Proxmox VE server have no apache running, select option to start a temportary web server for SSL verification.

When SSL created, you see a confirmation like

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem. Your
cert will expire on 2017-03-03. To obtain a new or tweaked version
of this certificate in the future, simply run certbot-auto again.
To non-interactively renew *all* of your certificates, run
“certbot-auto renew”
– If you lose your account credentials, you can recover through
e-mails sent to admin@hostonnet.com.
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

root@server18:~#

To replace Proxmox SSL certificate with this SSL cert, run following commands

rm -rf /etc/pve/local/pve-ssl.pem  
rm -rf /etc/pve/local/pve-ssl.key  
rm -rf /etc/pve/pve-root-ca.pem  
cp /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem  /etc/pve/local/pve-ssl.pem  
cp /etc/letsencrypt/live/server18.hostonnet.com/privkey.pem /etc/pve/local/pve-ssl.key  
cp /etc/letsencrypt/live/server18.hostonnet.com/chain.pem /etc/pve/pve-root-ca.pem  
service pveproxy restart
service pvedaemon restart

LetsEncrypt SSL expire every 90 days, so we will renew it every month with a cronjob. For this, create a file

vi /root/ssh-renew.sh

with following code in it


/usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
rm -rf /etc/pve/local/pve-ssl.pem  
rm -rf /etc/pve/local/pve-ssl.key  
rm -rf /etc/pve/pve-root-ca.pem  
cp /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem  /etc/pve/local/pve-ssl.pem  
cp /etc/letsencrypt/live/server18.hostonnet.com/privkey.pem /etc/pve/local/pve-ssl.key  
cp /etc/letsencrypt/live/server18.hostonnet.com/chain.pem /etc/pve/pve-root-ca.pem  
service pveproxy restart
service pvedaemon restart

Make it executable

chmod 755 /root/ssh-renew.sh

We need to run this command every 30 days, so add following to cronjob.

crontab -e

Add

@monthly /root/ssl-renew.sh

Back to LetsEncrypt


Posted in Virtualization

  • Selsbeck

    Is there any reason not to use symlinks to /etc/letsencrypt/live//* to prevent the cyclic deletion and copying?

  • I tried that, for some reason, it did not work


    root@server18:/etc/pve/local# rm -f pve-ssl.pem
    root@server18:/etc/pve/local# ls -l /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem
    lrwxrwxrwx 1 root root 51 Dec 3 05:44 /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem -> ../../archive/server18.hostonnet.com/fullchain1.pem
    root@server18:/etc/pve/local# ln -s /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem pve-ssl.pem
    ln: failed to create symbolic link ‘pve-ssl.pem’: Function not implemented
    root@server18:/etc/pve/local# cp /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem pve-ssl.pem
    root@server18:/etc/pve/local#

  • Selsbeck

    Well, this actually seems pretty logical to me. Creating symlinks on a shared filesystem linking to files on a “client”-node could be quite problematic.
    Thanks for clarifying!

  • Zenny Mind

    Replacing the web-ui ssl keys with letsencrypt caused a VM restore from
    backup to fail. I was able to restore the VM when I restore the original
    ssl keys.

  • Gilberto Ferreira

    I have problem with this too, but specific when I need to connect with Spice Console.
    Do you manage to resolve this issue?

  • Gilberto Ferreira

    After implement the letsencrypt, I can’t connect to spice terminal anymore.
    Please, can you help me?

  • Pedro Gomez

    Thanks, this was useful 😀

  • Omar Khalil

    Please note for people who are having problems:

    The instructions here suggested to delete and replace pve-ssl.pem and pve-ssl.key, that’s totally wrong to do,

    Those certificates are already used by the whole node to encrypt backups and lauch encrypted session such as SPICE and any backup taken.
    Deleting the certificates that proxmox generated will render backups unable to get restored anymore because the key is lost.
    and same applies for the SPICE.

    To fix deleted certs and regenerate them, run the following command:

    pvecm updatecerts -f

    Now to add SSL properly you should at to the following locations (Please update your blog post):

    Key: /etc/pve/local/pveproxy-ssl.key
    Cert with full chain: /etc/pve/local/pveproxy-ssl.pem

    Now you have pve interface in https and all other functionalities remain encrypted by the ca-root certificate generated by proxmox.

    And about the “Function Not Implemented” Error, as you said the System is based on FUSE, so there are many functions not implemented, read here for more informations
    :
    https://pve.proxmox.com/wiki/Proxmox_Cluster_File_System_(pmxcfs)