]>
Commit | Line | Data |
---|---|---|
81b3c41f DM |
1 | SSL certificate |
2 | --------------- | |
3 | ||
4 | Access to the administration web interface is always done via | |
5 | `https`. The default certificate is never valid for your browser and | |
f7198e12 | 6 | you always get warnings. |
81b3c41f DM |
7 | |
8 | If you want to get rid of these warnings, you have to generate a valid | |
9 | certificate for your server. | |
10 | ||
f7198e12 | 11 | Login to your {pmg} via ssh or use the console: |
81b3c41f DM |
12 | |
13 | ---- | |
14 | openssl req -newkey rsa:2048 -nodes -keyout key.pem -out req.pem | |
15 | ---- | |
16 | ||
17 | Follow the instructions on the screen, see this example: | |
18 | ||
19 | ---- | |
20 | Country Name (2 letter code) [AU]: AT | |
21 | State or Province Name (full name) [Some-State]:Vienna | |
22 | Locality Name (eg, city) []:Vienna | |
23 | Organization Name (eg, company) [Internet Widgits Pty Ltd]: Proxmox GmbH | |
24 | Organizational Unit Name (eg, section) []:Proxmox Mail Gateway | |
25 | Common Name (eg, YOUR name) []: yourproxmox.yourdomain.com | |
26 | Email Address []:support@yourdomain.com | |
27 | ||
28 | Please enter the following 'extra' attributes to be sent with your certificate request | |
29 | A challenge password []: not necessary | |
30 | An optional company name []: not necessary | |
31 | ---- | |
32 | ||
33 | After you finished this certificate request you have to send the file | |
34 | `req.pem` to your Certification Authority (CA). The CA will issue the | |
35 | certificate (BASE64 encoded) based on your request – save this file as | |
f7198e12 | 36 | `cert.pem` to your {pmg}. |
81b3c41f | 37 | |
f7198e12 | 38 | To activate the new certificate, do the following on your {pmg}: |
81b3c41f DM |
39 | |
40 | ---- | |
41 | cat key.pem cert.pem >/etc/pmg/pmg-api.pem | |
42 | ---- | |
43 | ||
f7198e12 | 44 | Then restart the API servers: |
81b3c41f DM |
45 | |
46 | ---- | |
47 | systemctl restart pmgproxy | |
48 | ---- | |
49 | ||
50 | Test your new certificate by using your browser. | |
51 | ||
f7198e12 | 52 | NOTE: To transfer files from and to your {pmg}, you can use secure |
81b3c41f DM |
53 | copy: If you desktop is Linux, you can use the `scp` command line |
54 | tool. If your desktop PC is windows, please use a scp client like | |
e9fb7667 | 55 | WinSCP (see https://winscp.net/). |
0fe083dc DM |
56 | |
57 | ||
58 | Change Certificate for Cluster Setups | |
59 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
60 | ||
61 | If you change the API certificate of an active cluster node, you also | |
62 | need to update the fingerprint inside the cluster configuration file | |
63 | `cluster.conf`. It is best to edit that file on the master node. | |
64 | ||
65 | To show the actual fingerprint use: | |
66 | ||
67 | ---- | |
68 | openssl x509 -in /etc/pmg/pmg-api.pem -noout -fingerprint -sha256 | |
69 | ---- |