Install LetsEncrypt SSL on Proxmox Node

To install LetsEncrypt SSL certificate for Proxmox VE Server, first install certbot-auto, this is a command line tool to generate/renew LetsEncrypt SSL certificate.

cd /usr/local/sbin
chmod a+x /usr/local/sbin/certbot-auto

Now run certbot-auto, when you run first time, it will download some required packages and install it.

certbot-auto --help

I am going to install SSL for server with hostname, do generate SSL certificate, run

certbot-auto certonly -d

This will ask your email address. Since Proxmox VE server have no apache running, select option to start a temportary web server for SSL verification.

When SSL created, you see a confirmation like

– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/ Your
cert will expire on 2017-03-03. To obtain a new or tweaked version
of this certificate in the future, simply run certbot-auto again.
To non-interactively renew *all* of your certificates, run
“certbot-auto renew”
– If you lose your account credentials, you can recover through
e-mails sent to
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt:
Donating to EFF:


To replace Proxmox SSL certificate with this SSL cert, run following commands

rm -rf /etc/pve/local/pve-ssl.pem  
rm -rf /etc/pve/local/pve-ssl.key  
rm -rf /etc/pve/pve-root-ca.pem  
cp /etc/letsencrypt/live/  /etc/pve/local/pve-ssl.pem  
cp /etc/letsencrypt/live/ /etc/pve/local/pve-ssl.key  
cp /etc/letsencrypt/live/ /etc/pve/pve-root-ca.pem  
service pveproxy restart
service pvedaemon restart

LetsEncrypt SSL expire every 90 days, so we will renew it every month with a cronjob. For this, create a file

vi /root/

with following code in it

/usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
rm -rf /etc/pve/local/pve-ssl.pem  
rm -rf /etc/pve/local/pve-ssl.key  
rm -rf /etc/pve/pve-root-ca.pem  
cp /etc/letsencrypt/live/  /etc/pve/local/pve-ssl.pem  
cp /etc/letsencrypt/live/ /etc/pve/local/pve-ssl.key  
cp /etc/letsencrypt/live/ /etc/pve/pve-root-ca.pem  
service pveproxy restart
service pvedaemon restart

Make it executable

chmod 755 /root/

We need to run this command every 30 days, so add following to cronjob.

crontab -e


@monthly /root/

Back to LetsEncrypt

Posted in Virtualization

  • Selsbeck

    Is there any reason not to use symlinks to /etc/letsencrypt/live//* to prevent the cyclic deletion and copying?

  • I tried that, for some reason, it did not work

    root@server18:/etc/pve/local# rm -f pve-ssl.pem
    root@server18:/etc/pve/local# ls -l /etc/letsencrypt/live/
    lrwxrwxrwx 1 root root 51 Dec 3 05:44 /etc/letsencrypt/live/ -> ../../archive/
    root@server18:/etc/pve/local# ln -s /etc/letsencrypt/live/ pve-ssl.pem
    ln: failed to create symbolic link ‘pve-ssl.pem’: Function not implemented
    root@server18:/etc/pve/local# cp /etc/letsencrypt/live/ pve-ssl.pem

  • Selsbeck

    Well, this actually seems pretty logical to me. Creating symlinks on a shared filesystem linking to files on a “client”-node could be quite problematic.
    Thanks for clarifying!

  • Zenny Mind

    Replacing the web-ui ssl keys with letsencrypt caused a VM restore from
    backup to fail. I was able to restore the VM when I restore the original
    ssl keys.

  • Gilberto Ferreira

    I have problem with this too, but specific when I need to connect with Spice Console.
    Do you manage to resolve this issue?

  • Gilberto Ferreira

    After implement the letsencrypt, I can’t connect to spice terminal anymore.
    Please, can you help me?

  • Pedro Gomez

    Thanks, this was useful 😀