HostOnNet Blog

Install LetsEncrypt SSL on Proxmox Node

To install LetsEncrypt SSL certificate for Proxmox VE Server, first install certbot-auto, this is a command line tool to generate/renew LetsEncrypt SSL certificate.

cd /usr/local/sbin
wget https://dl.eff.org/certbot-auto
chmod a+x /usr/local/sbin/certbot-auto

Now run certbot-auto, when you run first time, it will download some required packages and install it.

certbot-auto --help

I am going to install SSL for server with hostname server18.hostonnet.com, do generate SSL certificate, run

certbot-auto certonly -d server18.hostonnet.com

This will ask your email address. Since Proxmox VE server have no apache running, select option to start a temportary web server for SSL verification.

When SSL created, you see a confirmation like

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem. Your
cert will expire on 2017-03-03. To obtain a new or tweaked version
of this certificate in the future, simply run certbot-auto again.
To non-interactively renew *all* of your certificates, run
“certbot-auto renew”
– If you lose your account credentials, you can recover through
e-mails sent to admin@hostonnet.com.
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

root@server18:~#

To replace Proxmox SSL certificate with this SSL cert, run following commands

rm -rf /etc/pve/local/pve-ssl.pem  
rm -rf /etc/pve/local/pve-ssl.key  
rm -rf /etc/pve/pve-root-ca.pem  
cp /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem  /etc/pve/local/pve-ssl.pem  
cp /etc/letsencrypt/live/server18.hostonnet.com/privkey.pem /etc/pve/local/pve-ssl.key  
cp /etc/letsencrypt/live/server18.hostonnet.com/chain.pem /etc/pve/pve-root-ca.pem  
service pveproxy restart
service pvedaemon restart

LetsEncrypt SSL expire every 90 days, so we will renew it every month with a cronjob. For this, create a file

vi /root/ssh-renew.sh

with following code in it


/usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
rm -rf /etc/pve/local/pve-ssl.pem  
rm -rf /etc/pve/local/pve-ssl.key  
rm -rf /etc/pve/pve-root-ca.pem  
cp /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem  /etc/pve/local/pve-ssl.pem  
cp /etc/letsencrypt/live/server18.hostonnet.com/privkey.pem /etc/pve/local/pve-ssl.key  
cp /etc/letsencrypt/live/server18.hostonnet.com/chain.pem /etc/pve/pve-root-ca.pem  
service pveproxy restart
service pvedaemon restart

Make it executable

chmod 755 /root/ssh-renew.sh

We need to run this command every 30 days, so add following to cronjob.

crontab -e

Add

@monthly /root/ssl-renew.sh

Posted in Virtualization

  • Selsbeck

    Is there any reason not to use symlinks to /etc/letsencrypt/live//* to prevent the cyclic deletion and copying?

  • I tried that, for some reason, it did not work


    root@server18:/etc/pve/local# rm -f pve-ssl.pem
    root@server18:/etc/pve/local# ls -l /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem
    lrwxrwxrwx 1 root root 51 Dec 3 05:44 /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem -> ../../archive/server18.hostonnet.com/fullchain1.pem
    root@server18:/etc/pve/local# ln -s /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem pve-ssl.pem
    ln: failed to create symbolic link ‘pve-ssl.pem’: Function not implemented
    root@server18:/etc/pve/local# cp /etc/letsencrypt/live/server18.hostonnet.com/fullchain.pem pve-ssl.pem
    root@server18:/etc/pve/local#

  • Selsbeck

    Well, this actually seems pretty logical to me. Creating symlinks on a shared filesystem linking to files on a “client”-node could be quite problematic.
    Thanks for clarifying!