]>
Commit | Line | Data |
---|---|---|
81b3c41f DM |
1 | SSL certificate |
2 | --------------- | |
3 | ||
4 | Access to the administration web interface is always done via | |
5 | `https`. The default certificate is never valid for your browser and | |
6 | you get always warnings. | |
7 | ||
8 | If you want to get rid of these warnings, you have to generate a valid | |
9 | certificate for your server. | |
10 | ||
11 | Login to your Proxmox via ssh or use the console: | |
12 | ||
13 | ---- | |
14 | openssl req -newkey rsa:2048 -nodes -keyout key.pem -out req.pem | |
15 | ---- | |
16 | ||
17 | Follow the instructions on the screen, see this example: | |
18 | ||
19 | ---- | |
20 | Country Name (2 letter code) [AU]: AT | |
21 | State or Province Name (full name) [Some-State]:Vienna | |
22 | Locality Name (eg, city) []:Vienna | |
23 | Organization Name (eg, company) [Internet Widgits Pty Ltd]: Proxmox GmbH | |
24 | Organizational Unit Name (eg, section) []:Proxmox Mail Gateway | |
25 | Common Name (eg, YOUR name) []: yourproxmox.yourdomain.com | |
26 | Email Address []:support@yourdomain.com | |
27 | ||
28 | Please enter the following 'extra' attributes to be sent with your certificate request | |
29 | A challenge password []: not necessary | |
30 | An optional company name []: not necessary | |
31 | ---- | |
32 | ||
33 | After you finished this certificate request you have to send the file | |
34 | `req.pem` to your Certification Authority (CA). The CA will issue the | |
35 | certificate (BASE64 encoded) based on your request – save this file as | |
36 | `cert.pem` to your Proxmox. | |
37 | ||
38 | To activate the new certificate, do the following on your Proxmox: | |
39 | ||
40 | ---- | |
41 | cat key.pem cert.pem >/etc/pmg/pmg-api.pem | |
42 | ---- | |
43 | ||
44 | The restart the API servers | |
45 | ||
46 | ---- | |
47 | systemctl restart pmgproxy | |
48 | ---- | |
49 | ||
50 | Test your new certificate by using your browser. | |
51 | ||
52 | NOTE: To transfer files from and to your Proxmox, you can use secure | |
53 | copy: If you desktop is Linux, you can use the `scp` command line | |
54 | tool. If your desktop PC is windows, please use a scp client like | |
55 | WinSCP (see http://winscp.net/). | |
0fe083dc DM |
56 | |
57 | ||
58 | Change Certificate for Cluster Setups | |
59 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
60 | ||
61 | If you change the API certificate of an active cluster node, you also | |
62 | need to update the fingerprint inside the cluster configuration file | |
63 | `cluster.conf`. It is best to edit that file on the master node. | |
64 | ||
65 | To show the actual fingerprint use: | |
66 | ||
67 | ---- | |
68 | openssl x509 -in /etc/pmg/pmg-api.pem -noout -fingerprint -sha256 | |
69 | ---- |