projects / pmg-docs.git / blame
| Commit | Line | Data |
|---|---|---|
| 81b3c41f DM |
1 | SSL certificate |
| 2 | --------------- | |
| 3 | ||
| 4 | Access to the administration web interface is always done via | |
| 5 | `https`. The default certificate is never valid for your browser and | |
| f7198e12 | 6 | you always get warnings. |
| 81b3c41f DM |
7 | |
| 8 | If you want to get rid of these warnings, you have to generate a valid | |
| 9 | certificate for your server. | |
| 10 | ||
| f7198e12 | 11 | Login to your {pmg} via ssh or use the console: |
| 81b3c41f DM |
12 | |
| 13 | ---- | |
| 14 | openssl req -newkey rsa:2048 -nodes -keyout key.pem -out req.pem | |
| 15 | ---- | |
| 16 | ||
| 17 | Follow the instructions on the screen, see this example: | |
| 18 | ||
| 19 | ---- | |
| 20 | Country Name (2 letter code) [AU]: AT | |
| 21 | State or Province Name (full name) [Some-State]:Vienna | |
| 22 | Locality Name (eg, city) []:Vienna | |
| 23 | Organization Name (eg, company) [Internet Widgits Pty Ltd]: Proxmox GmbH | |
| 24 | Organizational Unit Name (eg, section) []:Proxmox Mail Gateway | |
| 25 | Common Name (eg, YOUR name) []: yourproxmox.yourdomain.com | |
| 26 | Email Address []:support@yourdomain.com | |
| 27 | ||
| 28 | Please enter the following 'extra' attributes to be sent with your certificate request | |
| 29 | A challenge password []: not necessary | |
| 30 | An optional company name []: not necessary | |
| 31 | ---- | |
| 32 | ||
| 33 | After you finished this certificate request you have to send the file | |
| 34 | `req.pem` to your Certification Authority (CA). The CA will issue the | |
| 35 | certificate (BASE64 encoded) based on your request – save this file as | |
| f7198e12 | 36 | `cert.pem` to your {pmg}. |
| 81b3c41f | 37 | |
| f7198e12 | 38 | To activate the new certificate, do the following on your {pmg}: |
| 81b3c41f DM |
39 | |
| 40 | ---- | |
| 41 | cat key.pem cert.pem >/etc/pmg/pmg-api.pem | |
| 42 | ---- | |
| 43 | ||
| f7198e12 | 44 | Then restart the API servers: |
| 81b3c41f DM |
45 | |
| 46 | ---- | |
| 47 | systemctl restart pmgproxy | |
| 48 | ---- | |
| 49 | ||
| 50 | Test your new certificate by using your browser. | |
| 51 | ||
| f7198e12 | 52 | NOTE: To transfer files from and to your {pmg}, you can use secure |
| 81b3c41f DM |
53 | copy: If you desktop is Linux, you can use the `scp` command line |
| 54 | tool. If your desktop PC is windows, please use a scp client like | |
| e9fb7667 | 55 | WinSCP (see https://winscp.net/). |
| 0fe083dc DM |
56 | |
| 57 | ||
| 58 | Change Certificate for Cluster Setups | |
| 59 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| 60 | ||
| 61 | If you change the API certificate of an active cluster node, you also | |
| 62 | need to update the fingerprint inside the cluster configuration file | |
| 63 | `cluster.conf`. It is best to edit that file on the master node. | |
| 64 | ||
| 65 | To show the actual fingerprint use: | |
| 66 | ||
| 67 | ---- | |
| 68 | openssl x509 -in /etc/pmg/pmg-api.pem -noout -fingerprint -sha256 | |
| 69 | ---- |