1 [[sysadmin_certificate_management]]
9 Certificates for communication within the cluster
10 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
12 Each {PVE} cluster creates its own internal Certificate Authority (CA) and
13 generates a self-signed certificate for each node. These certificates are used
14 for encrypted communication with the cluster's pveproxy service and the
15 Shell/Console feature if SPICE is used.
17 The CA certificate and key are stored in the xref:chapter_pmxcfs[Proxmox Cluster File System (pmxcfs)].
19 Certificates for API and web GUI
20 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22 The REST API and web GUI are provided by the `pveproxy` service, which runs on
25 You have the following options for the certificate used by `pveproxy`:
27 1. By default the node-specific certificate in
28 `/etc/pve/nodes/NODENAME/pve-ssl.pem` is used. This certificate is signed by
29 the cluster CA and therefore not trusted by browsers and operating systems by
31 2. use an externally provided certificate (e.g. signed by a commercial CA).
32 3. use ACME (e.g., Let's Encrypt) to get a trusted certificate with automatic renewal.
34 For options 2 and 3 the file `/etc/pve/local/pveproxy-ssl.pem` (and
35 `/etc/pve/local/pveproxy-ssl.key`, which needs to be without password) is used.
37 Certificates are managed with the {PVE} Node management command
38 (see the `pvenode(1)` manpage).
40 WARNING: Do not replace or manually modify the automatically generated node
41 certificate files in `/etc/pve/local/pve-ssl.pem` and
42 `/etc/pve/local/pve-ssl.key` or the cluster CA files in
43 `/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.
45 Getting trusted certificates via ACME
46 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
47 {PVE} includes an implementation of the **A**utomatic **C**ertificate
48 **M**anagement **E**nvironment **ACME** protocol, allowing {pve} admins to
49 interface with Let's Encrypt for easy setup of trusted TLS certificates which
50 are accepted out of the box on most modern operating systems and browsers.
52 Currently the two ACME endpoints implemented are Let's Encrypt (LE) and its
53 staging environment (see https://letsencrypt.org), both using the standalone
56 Because of https://letsencrypt.org/docs/rate-limits/[rate-limits] you should use
57 LE `staging` for experiments.
59 There are a few prerequisites to use Let's Encrypt:
61 1. **Port 80** of the node needs to be reachable from the internet.
62 2. There **must** be no other listener on port 80.
63 3. The requested (sub)domain needs to resolve to a public IP of the Node.
64 4. You have to accept the ToS of Let's Encrypt.
66 At the moment the GUI uses only the default ACME account.
68 .Example: Sample `pvenode` invocation for using Let's Encrypt certificates
71 root@proxmox:~# pvenode acme account register default mail@example.invalid
73 0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
74 1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
79 Attempting to fetch Terms of Service from 'https://acme-staging-v02.api.letsencrypt.org/directory'..
80 Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
81 Do you agree to the above terms? [y|N]y
83 Attempting to register account with 'https://acme-staging-v02.api.letsencrypt.org/directory'..
84 Generating ACME account key..
85 Registering ACME account..
86 Registration successful, account URL: 'https://acme-staging-v02.api.letsencrypt.org/acme/acct/xxxxxxx'
88 root@proxmox:~# pvenode acme account list
90 root@proxmox:~# pvenode config set --acme domains=example.invalid
91 root@proxmox:~# pvenode acme cert order
92 Loading ACME account details
94 Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/xxxxxxxxxxxxxx
96 Getting authorization details from
97 'https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxx-xxxxxxx'
100 Triggering validation
101 Sleeping for 5 seconds
104 All domains validated!
108 Checking order status
111 Downloading certificate
112 Setting pveproxy certificate and key
117 Automatic renewal of ACME certificates
118 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
120 If a node has been successfully configured with an ACME-provided certificate
121 (either via pvenode or via the GUI), the certificate will be automatically
122 renewed by the pve-daily-update.service. Currently, renewal will be attempted
123 if the certificate has expired or will expire in the next 30 days.