dah85.com

*not* just another blog ;)

Today I will be setting up SSL certificates for Proxmox 5 so that when you go to the web UI, it will be HTTPS and not using the self-signed cert that comes with Proxmox, which is rather insecure.

I will be doing this with Certbot.

First, we need to install Certbot:

apt install certbot -y 

Now, we need to set up the domain we're using for PVE and obtain a certificate:

certbot certonly

I will be using option 2, to spin up a temporary webserver so that certbot can verify that the domain points to the IP of the Proxmox server.

Now, we need to copy the cert files into the Proxmox directory like this:

cp /etc/letsencrypt/live/**yourdomain.com**/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
cp /etc/letsencrypt/live/**yourdomain.com**/privkey.pem /etc/pve/local/pveproxy-ssl.key

And when that's done, we need to refresh Proxmox so it can be aware of the changes:

systemctl restart pveproxy

You should be able to see that it's now accessing through HTTPS and with a valid certificate - no more warnings :)

We need to make this permanent, so we'll create a cron job to keep it updated and renew the cert as needed:

crontab -e

Then paste the following on a new line:

30 6 1,15 * * root /usr/bin/certbot renew --quiet --post-hook /usr/local/bin/renew-pve-certs.sh

Control-X to exit, Y to save and press Enter to save the file with the original name.

And we're done :)

I'm going to add something extra here because it might apply to you too, but if you're also running VestaCP on your Proxmox server with port 80 and 443 forwarding to your VestaCP server, the certbot method shown will fail - what we need to do is set up the PVE domain in VestaCP first, which will work, then copy the files from VestaCP to Proxmox and then follow the steps. I'll clarify this if someone comments requesting more details.