`/etc/pve/local/pve-ssl.key` or the cluster CA files in
`/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.
+[[sysadmin_certs_upload_custom]]
+Upload Custom Certificate
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you already have a certificate which you want to use for a {pve} node you
+can upload that certificate simply over the web interface.
+
+[thumbnail="screenshot/gui-node-certs-upload-custom.png"]
+
+Note that the certificates key file, if provided, mustn't be password
+protected.
[[sysadmin_certs_get_trusted_acme_cert]]
Trusted certificates via Let's Encrypt (ACME)
[[sysadmin_certs_acme_account]]
ACME Account
^^^^^^^^^^^^
+
+[thumbnail="screenshot/gui-datacenter-acme-register-account.png"]
+
You need to register an ACME account per cluster with the endpoint you want to
use. The email address used for that account will server as contact point for
renewal-due or similar notifications from the ACME endpoint.
-// TODO: screenshot of account register here
-
You can register and deactivate ACME accounts over the web interface
`Datacenter -> ACME` or using the `pvenode` command line tool.
----
the basis building block for automatic certificate management.
The ACME protocol specifies different types of challenges, for example the
-`http-01` where a webserver provides a file with a certain value to proof that
+`http-01` where a webserver provides a file with a certain value to prove that
it controls a domain. Sometimes this isn't possible, either because of
technical limitations or if the address a domain points to is not reachable
-from the public internet. For such cases one could use the `dns-01` challenge.
-That challenge provides also a certain value, but not over a text file, but
-through a DNS record on the authority name server of the domain.
+from the public internet. For such cases, one could use the `dns-01` challenge.
+This challenge also provides a certain value, but through a DNS record on the
+authority name server of the domain, rather than over a text file.
+
+[thumbnail="screenshot/gui-datacenter-acme-overview.png"]
{pve} supports both of those challenge types out of the box, you can configure
plugins either over the web interface under `Datacenter -> ACME`, or using the
`pvenode acme plugin add` command.
ACME Plugin configurations are stored in `/etc/pve/priv/acme/plugins.cfg`.
+A plugin is available for all nodes in the cluster.
+
+Node Domains
+^^^^^^^^^^^^
+
+Each domain is node specific. You can add new or manage existing domain entries
+under `Node -> Certificates`, or using the `pvenode config` command.
+
+[thumbnail="screenshot/gui-node-certs-add-domain.png"]
+
+After configuring the desired domain(s) for a node and ensuring that the
+desired ACME account is selected, you can order your new certificate over the
+web-interface. On success the interface will reload after 10 seconds.
+
+Renewal will happen xref:sysadmin_certs_acme_automatic_renewal[automatically].
[[sysadmin_certs_acme_http_challenge]]
ACME HTTP Challenge Plugin
The easiest way to configure a new plugin with the DNS API is using the web
interface (`Datacenter -> ACME`).
+[thumbnail="screenshot/gui-datacenter-acme-add-dns-plugin.png"]
+
Choose `DNS` as challenge type. Then you can select your API provider, enter
the credential data to access your account over their API.
wiki for more detailed information about getting API credentials for your
provider.
-As there are so many API endpoints {pve} autogenerates the formular for the
+As there are so many API endpoints {pve} autogenerates the form for the
credentials, but not all providers are annotated yet. For those you will see a
bigger text area, simply copy all the credentials `KEY`=`VALUE` pairs in there.
If a node has been successfully configured with an ACME-provided certificate
(either via pvenode or via the GUI), the certificate will be automatically
-renewed by the pve-daily-update.service. Currently, renewal will be attempted
+renewed by the `pve-daily-update.service`. Currently, renewal will be attempted
if the certificate has expired already, or will expire in the next 30 days.