We operate a proxmox cluster which is not exposed to the public internet, but we still wanted to secure the appliances with good certificates to avoid constantly clicking-through SSL warnings. Thanks to DNS acme challenge, let's encrypt is happy to issue valid certificates for domains that point to private IPs without needing to expose any service of the server to the public internet.
Start by installing
wget -O - https://get.acme.sh | sh source ~/.bashrc
Next we need to issue the certificate.
acme.sh --issue --dns -d yourdomain.example.com
When we run this command, it'll respond with information about how to update your DNS to verify ownership of the domain. You'll need to add the TXT record as indicated before proceeding.
With DNS updated as required by
acme.sh, we can
--renew to get the certificates issued.
acme.sh --renew -d yourdomain.example.com
Finally, we should automate the renewal process. To do this, we created a script as follows:
#!/bin/bash #File: /root/renewLE.sh export LE_WORKING_DIR="/root/.acme.sh" DOMAIN=yourdomain.example.com cd /root/.acme.sh ./acme.sh --renew -d $DOMAIN >/dev/null if [ $? -eq 0 ]; then cp /root/.acme.sh/$DOMAIN/$DOMAIN.key /etc/pve/local/pveproxy-ssl.key cp /root/.acme.sh/$DOMAIN/fullchain.cer /etc/pve/local/pveproxy-ssl.pem systemctl restart pveproxy fi
And add the following to your crontab
0 0 1 * * /root/renewLE.sh
In the proxmox documentation of
acme.sh, there is reference to adding the following options:
--keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy"
These did not work for us, however, and rather than look into why they failed, we simply added the two copy commands and the reload command to our renewal script.