Proxmox Let's Encrypt


We operate a proxmox cluster which is not exposed to the public internet, but we still wanted to secure the appliances with good certificates to avoid constantly clicking-through SSL warnings. Thanks to DNS acme challenge, let's encrypt is happy to issue valid certificates for domains that point to private IPs without needing to expose any service of the server to the public internet.



Start by installing

wget -O - | sh  
source ~/.bashrc  

Next we need to issue the certificate. --issue --dns -d  

When we run this command, it'll respond with information about how to update your DNS to verify ownership of the domain. You'll need to add the TXT record as indicated before proceeding.

With DNS updated as required by, we can --renew to get the certificates issued. --renew -d  

Finally, we should automate the renewal process. To do this, we created a script as follows:

#File: /root/
export LE_WORKING_DIR="/root/"  
cd /root/

./ --renew -d $DOMAIN >/dev/null
if [ $? -eq 0 ]; then  
  cp /root/$DOMAIN/$DOMAIN.key /etc/pve/local/pveproxy-ssl.key
  cp /root/$DOMAIN/fullchain.cer /etc/pve/local/pveproxy-ssl.pem
  systemctl restart pveproxy

And add the following to your crontab

0 0 1 * * /root/  


In the proxmox documentation of, there is reference to adding the following options:

--keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy"

These did not work for us, however, and rather than look into why they failed, we simply added the two copy commands and the reload command to our renewal script.