[pve-docs.git] / certificate-management.adoc

[[sysadmin_certificate_management]]
Certificate Management
----------------------
ifdef::wiki[]
:pve-toplevel:
endif::wiki[]


Certificates for communication within the cluster
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Each {PVE} cluster creates its own (self-signed) Certificate Authority (CA) and
generates a certificate for each node which gets signed by the aforementioned
CA. These certificates are used for encrypted communication with the cluster's
`pveproxy` service and the Shell/Console feature if SPICE is used.

The CA certificate and key are stored in the xref:chapter_pmxcfs[Proxmox Cluster File System (pmxcfs)].

Certificates for API and web GUI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The REST API and web GUI are provided by the `pveproxy` service, which runs on
each node.

You have the following options for the certificate used by `pveproxy`:

1. By default the node-specific certificate in
`/etc/pve/nodes/NODENAME/pve-ssl.pem` is used. This certificate is signed by
the cluster CA and therefore not trusted by browsers and operating systems by
default.
2. use an externally provided certificate (e.g. signed by a commercial CA).
3. use ACME (e.g., Let's Encrypt) to get a trusted certificate with automatic
renewal, this is also integrated in the {pve} API and Webinterface.

For options 2 and 3 the file `/etc/pve/local/pveproxy-ssl.pem` (and
`/etc/pve/local/pveproxy-ssl.key`, which needs to be without password) is used.

NOTE: Keep in mind that `/etc/pve/local` is a node specific symlink to
`/etc/pve/nodes/NODENAME`.

Certificates are managed with the {PVE} Node management command
(see the `pvenode(1)` manpage).

WARNING: Do not replace or manually modify the automatically generated node
certificate files in `/etc/pve/local/pve-ssl.pem` and
`/etc/pve/local/pve-ssl.key` or the cluster CA files in
`/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.

Getting trusted certificates via ACME
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
{PVE} includes an implementation of the **A**utomatic **C**ertificate
**M**anagement **E**nvironment **ACME** protocol, allowing {pve} admins to
interface with Let's Encrypt for easy setup of trusted TLS certificates which
are accepted out of the box on most modern operating systems and browsers.

Currently the two ACME endpoints implemented are Let's Encrypt (LE) and its
staging environment (see https://letsencrypt.org), both using the standalone
HTTP challenge.

Because of https://letsencrypt.org/docs/rate-limits/[rate-limits] you should use
LE `staging` for experiments.

There are a few prerequisites to use Let's Encrypt:

1. **Port 80** of the node needs to be reachable from the internet.
2. There **must** be no other listener on port 80.
3. The requested (sub)domain needs to resolve to a public IP of the Node.
4. You have to accept the ToS of Let's Encrypt.

At the moment the GUI uses only the default ACME account.

.Example: Sample `pvenode` invocation for using Let's Encrypt certificates

----
root@proxmox:~# pvenode acme account register default mail@example.invalid
Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection:
1

Attempting to fetch Terms of Service from 'https://acme-staging-v02.api.letsencrypt.org/directory'..
Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you agree to the above terms? [y|N]y

Attempting to register account with 'https://acme-staging-v02.api.letsencrypt.org/directory'..
Generating ACME account key..
Registering ACME account..
Registration successful, account URL: 'https://acme-staging-v02.api.letsencrypt.org/acme/acct/xxxxxxx'
Task OK
root@proxmox:~# pvenode acme account list
default
root@proxmox:~# pvenode config set --acme domains=example.invalid
root@proxmox:~# pvenode acme cert order
Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/xxxxxxxxxxxxxx

Getting authorization details from
'https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxx-xxxxxxx'
... pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds
Status is 'valid'!

All domains validated!

Creating CSR
Finalizing order
Checking order status
valid!

Downloading certificate
Setting pveproxy certificate and key
Restarting pveproxy
Task OK
----

Switching from the `staging` to the regular ACME directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Changing the ACME directory for an account is unsupported. If you want to switch
an account from the `staging` ACME directory to the regular, trusted, one you
need to deactivate it and recreate it.

This procedure is also needed to change the default ACME account used in the GUI.

.Example: Changing the `default` ACME account from the `staging` to the regular directory

----
root@proxmox:~# pvenode acme account info default
Directory URL: https://acme-staging-v02.api.letsencrypt.org/directory
Account URL: https://acme-staging-v02.api.letsencrypt.org/acme/acct/6332194
Terms Of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf

Account information:
ID: xxxxxxx
Contact:
        - mailto:example@proxmox.com
Creation date: 2018-07-31T08:41:44.54196435Z
Initial IP: 192.0.2.1
Status: valid

root@proxmox:~# pvenode acme account deactivate default
Renaming account file from '/etc/pve/priv/acme/default' to '/etc/pve/priv/acme/_deactivated_default_4'
Task OK

root@proxmox:~# pvenode acme account register default example@proxmox.com
Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection:
0

Attempting to fetch Terms of Service from 'https://acme-v02.api.letsencrypt.org/directory'..
Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you agree to the above terms? [y|N]y

Attempting to register account with 'https://acme-v02.api.letsencrypt.org/directory'..
Generating ACME account key..
Registering ACME account..
Registration successful, account URL: 'https://acme-v02.api.letsencrypt.org/acme/acct/39335247'
Task OK
----

Automatic renewal of ACME certificates
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If a node has been successfully configured with an ACME-provided certificate
(either via pvenode or via the GUI), the certificate will be automatically
renewed by the pve-daily-update.service. Currently, renewal will be attempted
if the certificate has expired already, or will expire in the next 30 days.
Commit	Line	Data
aeecd9ea SI	1	[[sysadmin_certificate_management]]
	2	Certificate Management
	3	----------------------
	4	ifdef::wiki[]
	5	:pve-toplevel:
	6	endif::wiki[]
	7
	8
	9	Certificates for communication within the cluster
	10	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	11
94958b8b	12	Each {PVE} cluster creates its own (self-signed) Certificate Authority (CA) and
1a58a3c9 TL	13	generates a certificate for each node which gets signed by the aforementioned
	14	CA. These certificates are used for encrypted communication with the cluster's
	15	`pveproxy` service and the Shell/Console feature if SPICE is used.
aeecd9ea	16
2971c735	17	The CA certificate and key are stored in the xref:chapter_pmxcfs[Proxmox Cluster File System (pmxcfs)].
aeecd9ea SI	18
	19	Certificates for API and web GUI
	20	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	21
0e9c6c13 FG	22	The REST API and web GUI are provided by the `pveproxy` service, which runs on
0e9c6c13 FG	23	each node.
aeecd9ea SI	24
	25	You have the following options for the certificate used by `pveproxy`:
	26
0e9c6c13 FG	27	1. By default the node-specific certificate in
	28	`/etc/pve/nodes/NODENAME/pve-ssl.pem` is used. This certificate is signed by
	29	the cluster CA and therefore not trusted by browsers and operating systems by
	30	default.
	31	2. use an externally provided certificate (e.g. signed by a commercial CA).
da30f82a TL	32	3. use ACME (e.g., Let's Encrypt) to get a trusted certificate with automatic
da30f82a TL	33	renewal, this is also integrated in the {pve} API and Webinterface.
aeecd9ea	34
0e9c6c13	35	For options 2 and 3 the file `/etc/pve/local/pveproxy-ssl.pem` (and
aeecd9ea SI	36	`/etc/pve/local/pveproxy-ssl.key`, which needs to be without password) is used.
aeecd9ea SI	37
da30f82a TL	38	NOTE: Keep in mind that `/etc/pve/local` is a node specific symlink to
	39	`/etc/pve/nodes/NODENAME`.
	40
aeecd9ea SI	41	Certificates are managed with the {PVE} Node management command
	42	(see the `pvenode(1)` manpage).
	43
0e9c6c13 FG	44	WARNING: Do not replace or manually modify the automatically generated node
	45	certificate files in `/etc/pve/local/pve-ssl.pem` and
	46	`/etc/pve/local/pve-ssl.key` or the cluster CA files in
	47	`/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.
aeecd9ea SI	48
	49	Getting trusted certificates via ACME
	50	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	51	{PVE} includes an implementation of the Automatic Certificate
	52	Management Environment ACME protocol, allowing {pve} admins to
0e9c6c13 FG	53	interface with Let's Encrypt for easy setup of trusted TLS certificates which
0e9c6c13 FG	54	are accepted out of the box on most modern operating systems and browsers.
aeecd9ea SI	55
	56	Currently the two ACME endpoints implemented are Let's Encrypt (LE) and its
	57	staging environment (see https://letsencrypt.org), both using the standalone
	58	HTTP challenge.
	59
	60	Because of https://letsencrypt.org/docs/rate-limits/[rate-limits] you should use
	61	LE `staging` for experiments.
	62
	63	There are a few prerequisites to use Let's Encrypt:
	64
	65	1. Port 80 of the node needs to be reachable from the internet.
	66	2. There must be no other listener on port 80.
0e9c6c13	67	3. The requested (sub)domain needs to resolve to a public IP of the Node.
aeecd9ea SI	68	4. You have to accept the ToS of Let's Encrypt.
	69
	70	At the moment the GUI uses only the default ACME account.
	71
	72	.Example: Sample `pvenode` invocation for using Let's Encrypt certificates
	73
b0014034	74	----
aeecd9ea SI	75	root@proxmox:~# pvenode acme account register default mail@example.invalid
	76	Directory endpoints:
	77	0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
	78	1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
	79	2) Custom
	80	Enter selection:
	81	1
	82
	83	Attempting to fetch Terms of Service from 'https://acme-staging-v02.api.letsencrypt.org/directory'..
	84	Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
	85	Do you agree to the above terms? [y\|N]y
	86
	87	Attempting to register account with 'https://acme-staging-v02.api.letsencrypt.org/directory'..
	88	Generating ACME account key..
	89	Registering ACME account..
	90	Registration successful, account URL: 'https://acme-staging-v02.api.letsencrypt.org/acme/acct/xxxxxxx'
	91	Task OK
	92	root@proxmox:~# pvenode acme account list
	93	default
	94	root@proxmox:~# pvenode config set --acme domains=example.invalid
	95	root@proxmox:~# pvenode acme cert order
	96	Loading ACME account details
	97	Placing ACME order
	98	Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/xxxxxxxxxxxxxx
	99
	100	Getting authorization details from
	101	'https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxx-xxxxxxx'
	102	... pending!
	103	Setting up webserver
	104	Triggering validation
	105	Sleeping for 5 seconds
	106	Status is 'valid'!
	107
	108	All domains validated!
	109
	110	Creating CSR
	111	Finalizing order
	112	Checking order status
	113	valid!
	114
	115	Downloading certificate
	116	Setting pveproxy certificate and key
	117	Restarting pveproxy
	118	Task OK
d75e644b	119	----
0e9c6c13	120
19b04e77	121	Switching from the `staging` to the regular ACME directory
b0014034	122	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
19b04e77 SI	123
	124	Changing the ACME directory for an account is unsupported. If you want to switch
	125	an account from the `staging` ACME directory to the regular, trusted, one you
	126	need to deactivate it and recreate it.
	127
	128	This procedure is also needed to change the default ACME account used in the GUI.
	129
	130	.Example: Changing the `default` ACME account from the `staging` to the regular directory
	131
d75e644b	132	----
19b04e77 SI	133	root@proxmox:~# pvenode acme account info default
	134	Directory URL: https://acme-staging-v02.api.letsencrypt.org/directory
	135	Account URL: https://acme-staging-v02.api.letsencrypt.org/acme/acct/6332194
	136	Terms Of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
	137
	138	Account information:
	139	ID: xxxxxxx
	140	Contact:
	141	- mailto:example@proxmox.com
	142	Creation date: 2018-07-31T08:41:44.54196435Z
	143	Initial IP: 192.0.2.1
	144	Status: valid
	145
	146	root@proxmox:~# pvenode acme account deactivate default
	147	Renaming account file from '/etc/pve/priv/acme/default' to '/etc/pve/priv/acme/_deactivated_default_4'
	148	Task OK
d75e644b	149
19b04e77 SI	150	root@proxmox:~# pvenode acme account register default example@proxmox.com
	151	Directory endpoints:
	152	0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
	153	1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
	154	2) Custom
	155	Enter selection:
	156	0
	157
	158	Attempting to fetch Terms of Service from 'https://acme-v02.api.letsencrypt.org/directory'..
	159	Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
	160	Do you agree to the above terms? [y\|N]y
	161
	162	Attempting to register account with 'https://acme-v02.api.letsencrypt.org/directory'..
	163	Generating ACME account key..
	164	Registering ACME account..
	165	Registration successful, account URL: 'https://acme-v02.api.letsencrypt.org/acme/acct/39335247'
	166	Task OK
d75e644b	167	----
19b04e77	168
0e9c6c13 FG	169	Automatic renewal of ACME certificates
	170	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	171
	172	If a node has been successfully configured with an ACME-provided certificate
	173	(either via pvenode or via the GUI), the certificate will be automatically
	174	renewed by the pve-daily-update.service. Currently, renewal will be attempted
da30f82a	175	if the certificate has expired already, or will expire in the next 30 days.