dah85.com

*not* just another blog ;)

Today I will be setting up SSL certificates for Proxmox 5 so that when you go to the web UI, it will be HTTPS and not using the self-signed cert that comes with Proxmox, which is rather insecure.

I will be doing this with Certbot.

First, we need to install Certbot:

apt install certbot -y 

Now, we need to set up the domain we're using for PVE and obtain a certificate:

certbot certonly

I will be using option 2, to spin up a temporary webserver so that certbot can verify that the domain points to the IP of the Proxmox server.

Now, we need to copy the cert files into the Proxmox directory like this:

cp /etc/letsencrypt/live/**yourdomain.com**/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
cp /etc/letsencrypt/live/**yourdomain.com**/privkey.pem /etc/pve/local/pveproxy-ssl.key

And when that's done, we need to refresh Proxmox so it can be aware of the changes:

systemctl restart pveproxy

You should be able to see that it's now accessing through HTTPS and with a valid certificate - no more warnings :)

We need to make this permanent, so we'll create a cron job to keep it updated and renew the cert as needed:

crontab -e

Then paste the following on a new line:

30 6 1,15 * * root /usr/bin/certbot renew --quiet --post-hook /usr/local/bin/renew-pve-certs.sh

Control-X to exit, Y to save and press Enter to save the file with the original name.

And we're done :)

I'm going to add something extra here because it might apply to you too, but if you're also running VestaCP on your Proxmox server with port 80 and 443 forwarding to your VestaCP server, the certbot method shown will fail - what we need to do is set up the PVE domain in VestaCP first, which will work, then copy the files from VestaCP to Proxmox and then follow the steps. I'll clarify this if someone comments requesting more details.

In a previous post I spoke about setting up the SSL cert for mail, but the web interface also needs SSL set up. The steps are actually similar, but without the extra bit for mail.

Here's what I did to fix it, just make sure you replace the example with your own domain. If you aren't running as root, use these commands otherwise put sudo in front of them all:

ln -s /home/admin/conf/web/ssl.example.com.pem /usr/local/vesta/ssl/certificate.crt
ln -s /home/admin/conf/web/ssl.example.com.key /usr/local/vesta/ssl/certificate.key

If that didn't do the trick, restart apache and vestacp and it will now work with your new cert :)

Setting up SSL for Mail in VestaCP

- Posted in Quick Tip by with comments

I'm still playing with my VestaCP install, and I've found that the outgoing mail doesn't work correctly when using Thunderbird or any other mail client except webmail which works perfectly.

It turns out there's an issue with the SSL certificates and EXIM (the mail server)

Here's what I did to fix it, just make sure you replace the example with your own domain. If you aren't running as root, use these commands otherwise put sudo in front of them all:

ln -s /home/admin/conf/web/ssl.example.com.pem /usr/local/vesta/ssl/certificate.crt
ln -s /home/admin/conf/web/ssl.example.com.key /usr/local/vesta/ssl/certificate.key

setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.pem
setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.key

chgrp mail /home/admin/conf/web/ssl.example.com.pem
chmod 660 /home/admin/conf/web/ssl.example.com.pem
chgrp mail /home/admin/conf/web/ssl.example.com.key
chmod 660 /home/admin/conf/web/ssl.example.com.key

Now you should be able to send email from a mail client without it complaining about certificates :)

Setting up LetsEncrypt free SSL

- Posted in Quick Tip by with comments

Today I will be installing and automatically renewing a free SSL certificate with LetsEncrypt.

Here's what I would do for the domain dah85.com

apt-get install nano python-letsencrypt-apache
letsencrypt --apache -d dah85.com
letsencrypt --apache --expand -d dah85.com -d www.dah85.com
letsencrypt renew
crontab -e
1 1 * * 1 /usr/bin/letsencrypt renew >> /var/log/letsencrypt-renewal.log

Done :)

This also sets up SSL in Apache for things like nextCloud if it's not already set up.

EDIT 0: If it complains that letsencrypt does not exist when installing, try installing python-certbot-apache instead. I found this happens in Ubuntu 17.04.

EDIT 1: Someone kindly pointed out that www.dah85.com didn't work, so I added the command "letsencrypt --apache --expand -d dah85.com -d www.dah85.com" after it and that fixed it :) Thanks Chris!

-Dave