Proxmox Let's Encrypt

Intro

We operate a proxmox cluster which is not exposed to the public internet, but we still wanted to secure the appliances with good certificates to avoid constantly clicking-through SSL warnings. Thanks to DNS acme challenge, let's encrypt is happy to issue valid certificates for domains that point to private IPs without needing to expose any service of the server to the public internet.

References

Guide

Start by installing acme.sh

wget -O -  https://get.acme.sh | sh  
source ~/.bashrc  

Next we need to issue the certificate.

acme.sh --issue --dns -d yourdomain.example.com  

When we run this command, it'll respond with information about how to update your DNS to verify ownership of the domain. You'll need to add the TXT record as indicated before proceeding.

With DNS updated as required by acme.sh, we can --renew to get the certificates issued.

acme.sh --renew -d yourdomain.example.com  

Finally, we should automate the renewal process. To do this, we created a script as follows:

#!/bin/bash
#File: /root/renewLE.sh
export LE_WORKING_DIR="/root/.acme.sh"  
DOMAIN=yourdomain.example.com  
cd /root/.acme.sh

./acme.sh --renew -d $DOMAIN >/dev/null
if [ $? -eq 0 ]; then  
  cp /root/.acme.sh/$DOMAIN/$DOMAIN.key /etc/pve/local/pveproxy-ssl.key
  cp /root/.acme.sh/$DOMAIN/fullchain.cer /etc/pve/local/pveproxy-ssl.pem
  systemctl restart pveproxy
fi  

And add the following to your crontab

0 0 1 * * /root/renewLE.sh  




Aside

In the proxmox documentation of acme.sh, there is reference to adding the following options:

--keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy"

These did not work for us, however, and rather than look into why they failed, we simply added the two copy commands and the reload command to our renewal script.