[pve-docs.git] / certificate-management.adoc

[[sysadmin_certificate_management]]
Certificate Management
----------------------
ifdef::wiki[]
:pve-toplevel:
endif::wiki[]


Certificates for Intra-Cluster Communication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Each {PVE} cluster creates by default its own (self-signed) Certificate
Authority (CA) and generates a certificate for each node which gets signed by
the aforementioned CA. These certificates are used for encrypted communication
with the cluster's `pveproxy` service and the Shell/Console feature if SPICE is
used.

The CA certificate and key are stored in the xref:chapter_pmxcfs[Proxmox Cluster File System (pmxcfs)].


[[sysadmin_certs_api_gui]]
Certificates for API and Web GUI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The REST API and web GUI are provided by the `pveproxy` service, which runs on
each node.

You have the following options for the certificate used by `pveproxy`:

1. By default the node-specific certificate in
`/etc/pve/nodes/NODENAME/pve-ssl.pem` is used. This certificate is signed by
the cluster CA and therefore not automatically trusted by browsers and
operating systems.
2. use an externally provided certificate (e.g. signed by a commercial CA).
3. use ACME (Let's Encrypt) to get a trusted certificate with automatic
renewal, this is also integrated in the {pve} API and web interface.

For options 2 and 3 the file `/etc/pve/local/pveproxy-ssl.pem` (and
`/etc/pve/local/pveproxy-ssl.key`, which needs to be without password) is used.

NOTE: Keep in mind that `/etc/pve/local` is a node specific symlink to
`/etc/pve/nodes/NODENAME`.

Certificates are managed with the {PVE} Node management command
(see the `pvenode(1)` manpage).

WARNING: Do not replace or manually modify the automatically generated node
certificate files in `/etc/pve/local/pve-ssl.pem` and
`/etc/pve/local/pve-ssl.key` or the cluster CA files in
`/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.

[[sysadmin_certs_upload_custom]]
Upload Custom Certificate
~~~~~~~~~~~~~~~~~~~~~~~~~

If you already have a certificate which you want to use for a {pve} node you
can upload that certificate simply over the web interface.

[thumbnail="screenshot/gui-node-certs-upload-custom.png"]

Note that the certificates key file, if provided, mustn't be password
protected.

[[sysadmin_certs_get_trusted_acme_cert]]
Trusted certificates via Let's Encrypt (ACME)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

{PVE} includes an implementation of the **A**utomatic **C**ertificate
**M**anagement **E**nvironment **ACME** protocol, allowing {pve} admins to
use an ACME provider like Let's Encrypt for easy setup of TLS certificates
which are accepted and trusted on modern operating systems and web browsers
out of the box.

Currently, the two ACME endpoints implemented are the
https://letsencrypt.org[Let's Encrypt (LE)] production and its staging
environment. Our ACME client supports validation of `http-01` challenges using
a built-in web server and validation of `dns-01` challenges using a DNS plugin
supporting all the DNS API endpoints https://acme.sh[acme.sh] does.

[[sysadmin_certs_acme_account]]
ACME Account
^^^^^^^^^^^^

[thumbnail="screenshot/gui-datacenter-acme-register-account.png"]

You need to register an ACME account per cluster with the endpoint you want to
use. The email address used for that account will serve as contact point for
renewal-due or similar notifications from the ACME endpoint.

You can register and deactivate ACME accounts over the web interface
`Datacenter -> ACME` or using the `pvenode` command-line tool.
----
 pvenode acme account register account-name mail@example.com
----

TIP: Because of https://letsencrypt.org/docs/rate-limits/[rate-limits] you
should use LE `staging` for experiments or if you use ACME for the first time.

[[sysadmin_certs_acme_plugins]]
ACME Plugins
^^^^^^^^^^^^

The ACME plugins task is to provide automatic verification that you, and thus
the {pve} cluster under your operation, are the real owner of a domain. This is
the basis building block for automatic certificate management.

The ACME protocol specifies different types of challenges, for example the
`http-01` where a web server provides a file with a certain content to prove
that it controls a domain. Sometimes this isn't possible, either because of
technical limitations or if the address of a record to is not reachable from
the public internet. The `dns-01` challenge can be used in these cases.  This
challenge is fulfilled by creating a certain DNS record in the domain's zone.

[thumbnail="screenshot/gui-datacenter-acme-overview.png"]

{pve} supports both of those challenge types out of the box, you can configure
plugins either over the web interface under `Datacenter -> ACME`, or using the
`pvenode acme plugin add` command.

ACME Plugin configurations are stored in `/etc/pve/priv/acme/plugins.cfg`.
A plugin is available for all nodes in the cluster.

Node Domains
^^^^^^^^^^^^

Each domain is node specific. You can add new or manage existing domain entries
under `Node -> Certificates`, or using the `pvenode config` command.

[thumbnail="screenshot/gui-node-certs-add-domain.png"]

After configuring the desired domain(s) for a node and ensuring that the
desired ACME account is selected, you can order your new certificate over the
web interface. On success the interface will reload after 10 seconds.

Renewal will happen xref:sysadmin_certs_acme_automatic_renewal[automatically].

[[sysadmin_certs_acme_http_challenge]]
ACME HTTP Challenge Plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~

There is always an implicitly configured `standalone` plugin for validating
`http-01` challenges via the built-in webserver spawned on port 80.

NOTE: The name `standalone` means that it can provide the validation on it's
own, without any third party service. So, this plugin works also for cluster
nodes.

There are a few prerequisites to use it for certificate management with Let's
Encrypts ACME.

* You have to accept the ToS of Let's Encrypt to register an account.
* **Port 80** of the node needs to be reachable from the internet.
* There **must** be no other listener on port 80.
* The requested (sub)domain needs to resolve to a public IP of the Node.


[[sysadmin_certs_acme_dns_challenge]]
ACME DNS API Challenge Plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On systems where external access for validation via the `http-01` method is
not possible or desired, it is possible to use the `dns-01` validation method.
This validation method requires a DNS server that allows provisioning of `TXT`
records via an API.

[[sysadmin_certs_acme_dns_api_config]]
Configuring ACME DNS APIs for validation
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

{PVE} re-uses the DNS plugins developed for the `acme.sh`
footnote:[acme.sh https://github.com/acmesh-official/acme.sh] project, please
refer to its documentation for details on configuration of specific APIs.

The easiest way to configure a new plugin with the DNS API is using the web
interface (`Datacenter -> ACME`).

[thumbnail="screenshot/gui-datacenter-acme-add-dns-plugin.png"]

Choose `DNS` as challenge type. Then you can select your API provider, enter
the credential data to access your account over their API.

TIP: See the acme.sh
https://github.com/acmesh-official/acme.sh/wiki/dnsapi#how-to-use-dns-api[How to use DNS API]
wiki for more detailed information about getting API credentials for your
provider.

As there are many DNS providers and API endpoints {pve} automatically generates
the form for the credentials for some providers. For the others you will see a
bigger text area, simply copy all the credentials `KEY`=`VALUE` pairs in there.

DNS Validation through CNAME Alias
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

A special `alias` mode can be used to handle the validation on a different
domain/DNS server, in case your primary/real DNS does not support provisioning
via an API. Manually set up a permanent `CNAME` record for
`_acme-challenge.domain1.example` pointing to `_acme-challenge.domain2.example`
and set the `alias` property in the {PVE} node configuration file to
`domain2.example` to allow the DNS server of `domain2.example` to validate all
challenges for `domain1.example`.


Combination of Plugins
^^^^^^^^^^^^^^^^^^^^^^

Combining `http-01` and `dns-01` validation is possible in case your node is
reachable via multiple domains with different requirements / DNS provisioning
capabilities. Mixing DNS APIs from multiple providers or instances is also
possible by specifying different plugin instances per domain.

TIP: Accessing the same service over multiple domains increases complexity and
should be avoided if possible.

[[sysadmin_certs_acme_automatic_renewal]]
Automatic renewal of ACME certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If a node has been successfully configured with an ACME-provided certificate
(either via pvenode or via the GUI), the certificate will be automatically
renewed by the `pve-daily-update.service`. Currently, renewal will be attempted
if the certificate has expired already, or will expire in the next 30 days.


ACME Examples with `pvenode`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Example: Sample `pvenode` invocation for using Let's Encrypt certificates
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

----
root@proxmox:~# pvenode acme account register default mail@example.invalid
Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection: 1

Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you agree to the above terms? [y|N]y
...
Task OK
root@proxmox:~# pvenode config set --acme domains=example.invalid
root@proxmox:~# pvenode acme cert order
Loading ACME account details
Placing ACME order
...
Status is 'valid'!

All domains validated!
...
Downloading certificate
Setting pveproxy certificate and key
Restarting pveproxy
Task OK
----

Example: Setting up the OVH API for validating a domain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

NOTE: the account registration steps are the same no matter which plugins are
used, and are not repeated here.

NOTE: `OVH_AK` and `OVH_AS` need to be obtained from OVH according to the OVH
API documentation


First you need to get all information so you and {pve} can access the API.

----
root@proxmox:~# cat /path/to/api-token
OVH_AK=XXXXXXXXXXXXXXXX
OVH_AS=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
root@proxmox:~# source /path/to/api-token
root@proxmox:~# curl -XPOST -H"X-Ovh-Application: $OVH_AK" -H "Content-type: application/json" \
https://eu.api.ovh.com/1.0/auth/credential  -d '{
  "accessRules": [
    {"method": "GET","path": "/auth/time"},
    {"method": "GET","path": "/domain"},
    {"method": "GET","path": "/domain/zone/*"},
    {"method": "GET","path": "/domain/zone/*/record"},
    {"method": "POST","path": "/domain/zone/*/record"},
    {"method": "POST","path": "/domain/zone/*/refresh"},
    {"method": "PUT","path": "/domain/zone/*/record/"},
    {"method": "DELETE","path": "/domain/zone/*/record/*"}
]
}'
{"consumerKey":"ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ","state":"pendingValidation","validationUrl":"https://eu.api.ovh.com/auth/?credentialToken=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}

(open validation URL and follow instructions to link Application Key with account/Consumer Key)

root@proxmox:~# echo "OVH_CK=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ" >> /path/to/api-token
----

Now you can setup the the ACME plugin:

----
root@proxmox:~# pvenode acme plugin add dns example_plugin --api ovh --data /path/to/api_token
root@proxmox:~# pvenode acme plugin config example_plugin
┌────────┬──────────────────────────────────────────┐
│ key    │ value                                    │
╞════════╪══════════════════════════════════════════╡
│ api    │ ovh                                      │
├────────┼──────────────────────────────────────────┤
│ data   │ OVH_AK=XXXXXXXXXXXXXXXX                  │
│        │ OVH_AS=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY  │
│        │ OVH_CK=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ  │
├────────┼──────────────────────────────────────────┤
│ digest │ 867fcf556363ca1bea866863093fcab83edf47a1 │
├────────┼──────────────────────────────────────────┤
│ plugin │ example_plugin                           │
├────────┼──────────────────────────────────────────┤
│ type   │ dns                                      │
└────────┴──────────────────────────────────────────┘
----

At last you can configure the domain you want to get certificates for and
place the certificate order for it:

----
root@proxmox:~# pvenode config set -acmedomain0 example.proxmox.com,plugin=example_plugin
root@proxmox:~# pvenode acme cert order
Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/11111111/22222222

Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333'
The validation for example.proxmox.com is pending!
[Wed Apr 22 09:25:30 CEST 2020] Using OVH endpoint: ovh-eu
[Wed Apr 22 09:25:30 CEST 2020] Checking authentication
[Wed Apr 22 09:25:30 CEST 2020] Consumer key is ok.
[Wed Apr 22 09:25:31 CEST 2020] Adding record
[Wed Apr 22 09:25:32 CEST 2020] Added, sleep 10 seconds.
Add TXT record: _acme-challenge.example.proxmox.com
Triggering validation
Sleeping for 5 seconds
Status is 'valid'!
[Wed Apr 22 09:25:48 CEST 2020] Using OVH endpoint: ovh-eu
[Wed Apr 22 09:25:48 CEST 2020] Checking authentication
[Wed Apr 22 09:25:48 CEST 2020] Consumer key is ok.
Remove TXT record: _acme-challenge.example.proxmox.com

All domains validated!

Creating CSR
Checking order status
Order is ready, finalizing order
valid!

Downloading certificate
Setting pveproxy certificate and key
Restarting pveproxy
Task OK
----

[[sysadmin_certs_acme_switch_from_staging]]
Example: Switching from the `staging` to the regular ACME directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Changing the ACME directory for an account is unsupported, but as {pve}
supports more than one account you can just create a new one with the
production (trusted) ACME directory as endpoint.  You can also deactivate the
staging account and recreate it.

// TODO: add example with account screenshot here

.Example: Changing the `default` ACME account from `staging` to directory using `pvenode`
----
root@proxmox:~# pvenode acme account deactivate default
Renaming account file from '/etc/pve/priv/acme/default' to '/etc/pve/priv/acme/_deactivated_default_4'
Task OK

root@proxmox:~# pvenode acme account register default example@proxmox.com
Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection: 0

Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you agree to the above terms? [y|N]y
...
Task OK
----
Commit	Line	Data
aeecd9ea SI	1	[[sysadmin_certificate_management]]
	2	Certificate Management
	3	----------------------
	4	ifdef::wiki[]
	5	:pve-toplevel:
	6	endif::wiki[]
	7
	8
a7dca4d1 TL	9	Certificates for Intra-Cluster Communication
a7dca4d1 TL	10	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
aeecd9ea	11
a7dca4d1 TL	12	Each {PVE} cluster creates by default its own (self-signed) Certificate
	13	Authority (CA) and generates a certificate for each node which gets signed by
	14	the aforementioned CA. These certificates are used for encrypted communication
	15	with the cluster's `pveproxy` service and the Shell/Console feature if SPICE is
	16	used.
aeecd9ea	17
2971c735	18	The CA certificate and key are stored in the xref:chapter_pmxcfs[Proxmox Cluster File System (pmxcfs)].
aeecd9ea	19
0a1739bd	20
a7dca4d1 TL	21	[[sysadmin_certs_api_gui]]
a7dca4d1 TL	22	Certificates for API and Web GUI
aeecd9ea SI	23	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
aeecd9ea SI	24
0e9c6c13 FG	25	The REST API and web GUI are provided by the `pveproxy` service, which runs on
0e9c6c13 FG	26	each node.
aeecd9ea SI	27
	28	You have the following options for the certificate used by `pveproxy`:
	29
0e9c6c13 FG	30	1. By default the node-specific certificate in
0e9c6c13 FG	31	`/etc/pve/nodes/NODENAME/pve-ssl.pem` is used. This certificate is signed by
0a1739bd TL	32	the cluster CA and therefore not automatically trusted by browsers and
0a1739bd TL	33	operating systems.
0e9c6c13	34	2. use an externally provided certificate (e.g. signed by a commercial CA).
0a1739bd	35	3. use ACME (Let's Encrypt) to get a trusted certificate with automatic
135789c0	36	renewal, this is also integrated in the {pve} API and web interface.
aeecd9ea	37
0e9c6c13	38	For options 2 and 3 the file `/etc/pve/local/pveproxy-ssl.pem` (and
aeecd9ea SI	39	`/etc/pve/local/pveproxy-ssl.key`, which needs to be without password) is used.
aeecd9ea SI	40
da30f82a TL	41	NOTE: Keep in mind that `/etc/pve/local` is a node specific symlink to
	42	`/etc/pve/nodes/NODENAME`.
	43
aeecd9ea SI	44	Certificates are managed with the {PVE} Node management command
	45	(see the `pvenode(1)` manpage).
	46
0e9c6c13 FG	47	WARNING: Do not replace or manually modify the automatically generated node
	48	certificate files in `/etc/pve/local/pve-ssl.pem` and
	49	`/etc/pve/local/pve-ssl.key` or the cluster CA files in
	50	`/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.
aeecd9ea	51
65c80483 TL	52	[[sysadmin_certs_upload_custom]]
	53	Upload Custom Certificate
	54	~~~~~~~~~~~~~~~~~~~~~~~~~
	55
	56	If you already have a certificate which you want to use for a {pve} node you
	57	can upload that certificate simply over the web interface.
	58
	59	[thumbnail="screenshot/gui-node-certs-upload-custom.png"]
	60
	61	Note that the certificates key file, if provided, mustn't be password
	62	protected.
0a1739bd	63
a7dca4d1 TL	64	[[sysadmin_certs_get_trusted_acme_cert]]
	65	Trusted certificates via Let's Encrypt (ACME)
	66	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0a1739bd	67
aeecd9ea SI	68	{PVE} includes an implementation of the Automatic Certificate
aeecd9ea SI	69	Management Environment ACME protocol, allowing {pve} admins to
d6754f0f SI	70	use an ACME provider like Let's Encrypt for easy setup of TLS certificates
	71	which are accepted and trusted on modern operating systems and web browsers
	72	out of the box.
aeecd9ea	73
d6754f0f	74	Currently, the two ACME endpoints implemented are the
a7dca4d1 TL	75	https://letsencrypt.org[Let's Encrypt (LE)] production and its staging
a7dca4d1 TL	76	environment. Our ACME client supports validation of `http-01` challenges using
d6754f0f	77	a built-in web server and validation of `dns-01` challenges using a DNS plugin
a7dca4d1	78	supporting all the DNS API endpoints https://acme.sh[acme.sh] does.
aeecd9ea	79
a7dca4d1 TL	80	[[sysadmin_certs_acme_account]]
	81	ACME Account
	82	^^^^^^^^^^^^
65c80483 TL	83
	84	[thumbnail="screenshot/gui-datacenter-acme-register-account.png"]
	85
a7dca4d1	86	You need to register an ACME account per cluster with the endpoint you want to
d6754f0f	87	use. The email address used for that account will serve as contact point for
a7dca4d1	88	renewal-due or similar notifications from the ACME endpoint.
aeecd9ea	89
a7dca4d1	90	You can register and deactivate ACME accounts over the web interface
ff4ae052	91	`Datacenter -> ACME` or using the `pvenode` command-line tool.
a7dca4d1 TL	92	----
	93	pvenode acme account register account-name mail@example.com
	94	----
aeecd9ea	95
a7dca4d1 TL	96	TIP: Because of https://letsencrypt.org/docs/rate-limits/[rate-limits] you
a7dca4d1 TL	97	should use LE `staging` for experiments or if you use ACME for the first time.
0b447f1c	98
a7dca4d1 TL	99	[[sysadmin_certs_acme_plugins]]
	100	ACME Plugins
	101	^^^^^^^^^^^^
0b447f1c	102
a7dca4d1 TL	103	The ACME plugins task is to provide automatic verification that you, and thus
	104	the {pve} cluster under your operation, are the real owner of a domain. This is
	105	the basis building block for automatic certificate management.
0b447f1c	106
a7dca4d1	107	The ACME protocol specifies different types of challenges, for example the
d6754f0f SI	108	`http-01` where a web server provides a file with a certain content to prove
	109	that it controls a domain. Sometimes this isn't possible, either because of
	110	technical limitations or if the address of a record to is not reachable from
	111	the public internet. The `dns-01` challenge can be used in these cases. This
	112	challenge is fulfilled by creating a certain DNS record in the domain's zone.
0b447f1c	113
65c80483 TL	114	[thumbnail="screenshot/gui-datacenter-acme-overview.png"]
65c80483 TL	115
a7dca4d1 TL	116	{pve} supports both of those challenge types out of the box, you can configure
	117	plugins either over the web interface under `Datacenter -> ACME`, or using the
	118	`pvenode acme plugin add` command.
aeecd9ea	119
a7dca4d1	120	ACME Plugin configurations are stored in `/etc/pve/priv/acme/plugins.cfg`.
65c80483 TL	121	A plugin is available for all nodes in the cluster.
	122
	123	Node Domains
	124	^^^^^^^^^^^^
	125
	126	Each domain is node specific. You can add new or manage existing domain entries
	127	under `Node -> Certificates`, or using the `pvenode config` command.
	128
	129	[thumbnail="screenshot/gui-node-certs-add-domain.png"]
	130
	131	After configuring the desired domain(s) for a node and ensuring that the
	132	desired ACME account is selected, you can order your new certificate over the
e2b3622a	133	web interface. On success the interface will reload after 10 seconds.
65c80483 TL	134
65c80483 TL	135	Renewal will happen xref:sysadmin_certs_acme_automatic_renewal[automatically].
aeecd9ea	136
a7dca4d1 TL	137	[[sysadmin_certs_acme_http_challenge]]
	138	ACME HTTP Challenge Plugin
	139	~~~~~~~~~~~~~~~~~~~~~~~~~~
aeecd9ea	140
a7dca4d1 TL	141	There is always an implicitly configured `standalone` plugin for validating
a7dca4d1 TL	142	`http-01` challenges via the built-in webserver spawned on port 80.
aeecd9ea	143
a7dca4d1 TL	144	NOTE: The name `standalone` means that it can provide the validation on it's
	145	own, without any third party service. So, this plugin works also for cluster
	146	nodes.
aeecd9ea	147
a7dca4d1 TL	148	There are a few prerequisites to use it for certificate management with Let's
a7dca4d1 TL	149	Encrypts ACME.
aeecd9ea	150
a7dca4d1 TL	151	* You have to accept the ToS of Let's Encrypt to register an account.
	152	* Port 80 of the node needs to be reachable from the internet.
	153	* There must be no other listener on port 80.
	154	* The requested (sub)domain needs to resolve to a public IP of the Node.
aeecd9ea	155
aeecd9ea	156
a7dca4d1 TL	157	[[sysadmin_certs_acme_dns_challenge]]
	158	ACME DNS API Challenge Plugin
	159	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
aeecd9ea	160
a7dca4d1 TL	161	On systems where external access for validation via the `http-01` method is
	162	not possible or desired, it is possible to use the `dns-01` validation method.
	163	This validation method requires a DNS server that allows provisioning of `TXT`
	164	records via an API.
0e9c6c13	165
a7dca4d1 TL	166	[[sysadmin_certs_acme_dns_api_config]]
	167	Configuring ACME DNS APIs for validation
	168	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
19b04e77	169
a7dca4d1	170	{PVE} re-uses the DNS plugins developed for the `acme.sh`
d6754f0f SI	171	footnote:[acme.sh https://github.com/acmesh-official/acme.sh] project, please
d6754f0f SI	172	refer to its documentation for details on configuration of specific APIs.
19b04e77	173
a7dca4d1 TL	174	The easiest way to configure a new plugin with the DNS API is using the web
a7dca4d1 TL	175	interface (`Datacenter -> ACME`).
19b04e77	176
65c80483 TL	177	[thumbnail="screenshot/gui-datacenter-acme-add-dns-plugin.png"]
65c80483 TL	178
a7dca4d1 TL	179	Choose `DNS` as challenge type. Then you can select your API provider, enter
a7dca4d1 TL	180	the credential data to access your account over their API.
19b04e77	181
a7dca4d1 TL	182	TIP: See the acme.sh
	183	https://github.com/acmesh-official/acme.sh/wiki/dnsapi#how-to-use-dns-api[How to use DNS API]
	184	wiki for more detailed information about getting API credentials for your
	185	provider.
19b04e77	186
d6754f0f SI	187	As there are many DNS providers and API endpoints {pve} automatically generates
d6754f0f SI	188	the form for the credentials for some providers. For the others you will see a
a7dca4d1	189	bigger text area, simply copy all the credentials `KEY`=`VALUE` pairs in there.
d75e644b	190
a7dca4d1 TL	191	DNS Validation through CNAME Alias
a7dca4d1 TL	192	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
19b04e77	193
a7dca4d1 TL	194	A special `alias` mode can be used to handle the validation on a different
	195	domain/DNS server, in case your primary/real DNS does not support provisioning
	196	via an API. Manually set up a permanent `CNAME` record for
	197	`_acme-challenge.domain1.example` pointing to `_acme-challenge.domain2.example`
	198	and set the `alias` property in the {PVE} node configuration file to
	199	`domain2.example` to allow the DNS server of `domain2.example` to validate all
	200	challenges for `domain1.example`.
19b04e77	201
19b04e77	202
a7dca4d1 TL	203	Combination of Plugins
	204	^^^^^^^^^^^^^^^^^^^^^^
	205
	206	Combining `http-01` and `dns-01` validation is possible in case your node is
	207	reachable via multiple domains with different requirements / DNS provisioning
	208	capabilities. Mixing DNS APIs from multiple providers or instances is also
	209	possible by specifying different plugin instances per domain.
	210
	211	TIP: Accessing the same service over multiple domains increases complexity and
	212	should be avoided if possible.
	213
	214	[[sysadmin_certs_acme_automatic_renewal]]
0e9c6c13	215	Automatic renewal of ACME certificates
a7dca4d1	216	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0e9c6c13 FG	217
	218	If a node has been successfully configured with an ACME-provided certificate
	219	(either via pvenode or via the GUI), the certificate will be automatically
65c80483	220	renewed by the `pve-daily-update.service`. Currently, renewal will be attempted
da30f82a	221	if the certificate has expired already, or will expire in the next 30 days.
0b447f1c	222
0b447f1c	223
a7dca4d1 TL	224	ACME Examples with `pvenode`
a7dca4d1 TL	225	~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0b447f1c	226
a7dca4d1 TL	227	Example: Sample `pvenode` invocation for using Let's Encrypt certificates
a7dca4d1 TL	228	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
0b447f1c	229
a7dca4d1 TL	230	----
	231	root@proxmox:~# pvenode acme account register default mail@example.invalid
	232	Directory endpoints:
	233	0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
	234	1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
	235	2) Custom
	236	Enter selection: 1
0b447f1c	237
a7dca4d1 TL	238	Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
	239	Do you agree to the above terms? [y\|N]y
	240	...
	241	Task OK
	242	root@proxmox:~# pvenode config set --acme domains=example.invalid
	243	root@proxmox:~# pvenode acme cert order
	244	Loading ACME account details
	245	Placing ACME order
	246	...
	247	Status is 'valid'!
	248
	249	All domains validated!
	250	...
	251	Downloading certificate
	252	Setting pveproxy certificate and key
	253	Restarting pveproxy
	254	Task OK
	255	----
0b447f1c	256
a7dca4d1 TL	257	Example: Setting up the OVH API for validating a domain
a7dca4d1 TL	258	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
0b447f1c	259
186c094b TL	260	NOTE: the account registration steps are the same no matter which plugins are
	261	used, and are not repeated here.
	262
	263	NOTE: `OVH_AK` and `OVH_AS` need to be obtained from OVH according to the OVH
	264	API documentation
	265
	266
	267	First you need to get all information so you and {pve} can access the API.
0b447f1c FG	268
	269	----
	270	root@proxmox:~# cat /path/to/api-token
	271	OVH_AK=XXXXXXXXXXXXXXXX
	272	OVH_AS=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
	273	root@proxmox:~# source /path/to/api-token
	274	root@proxmox:~# curl -XPOST -H"X-Ovh-Application: $OVH_AK" -H "Content-type: application/json" \
	275	https://eu.api.ovh.com/1.0/auth/credential -d '{
	276	"accessRules": [
	277	{"method": "GET","path": "/auth/time"},
	278	{"method": "GET","path": "/domain"},
	279	{"method": "GET","path": "/domain/zone/*"},
	280	{"method": "GET","path": "/domain/zone/*/record"},
	281	{"method": "POST","path": "/domain/zone/*/record"},
	282	{"method": "POST","path": "/domain/zone/*/refresh"},
	283	{"method": "PUT","path": "/domain/zone/*/record/"},
	284	{"method": "DELETE","path": "/domain/zone//record/"}
	285	]
	286	}'
	287	{"consumerKey":"ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ","state":"pendingValidation","validationUrl":"https://eu.api.ovh.com/auth/?credentialToken=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
	288
	289	(open validation URL and follow instructions to link Application Key with account/Consumer Key)
	290
	291	root@proxmox:~# echo "OVH_CK=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ" >> /path/to/api-token
186c094b TL	292	----
	293
	294	Now you can setup the the ACME plugin:
	295
	296	----
0b447f1c FG	297	root@proxmox:~# pvenode acme plugin add dns example_plugin --api ovh --data /path/to/api_token
	298	root@proxmox:~# pvenode acme plugin config example_plugin
	299	┌────────┬──────────────────────────────────────────┐
	300	│ key │ value │
	301	╞════════╪══════════════════════════════════════════╡
	302	│ api │ ovh │
	303	├────────┼──────────────────────────────────────────┤
	304	│ data │ OVH_AK=XXXXXXXXXXXXXXXX │
	305	│ │ OVH_AS=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY │
	306	│ │ OVH_CK=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ │
	307	├────────┼──────────────────────────────────────────┤
	308	│ digest │ 867fcf556363ca1bea866863093fcab83edf47a1 │
	309	├────────┼──────────────────────────────────────────┤
	310	│ plugin │ example_plugin │
	311	├────────┼──────────────────────────────────────────┤
	312	│ type │ dns │
	313	└────────┴──────────────────────────────────────────┘
186c094b TL	314	----
186c094b TL	315
3a433e9b	316	At last you can configure the domain you want to get certificates for and
186c094b TL	317	place the certificate order for it:
	318
	319	----
0b447f1c FG	320	root@proxmox:~# pvenode config set -acmedomain0 example.proxmox.com,plugin=example_plugin
	321	root@proxmox:~# pvenode acme cert order
	322	Loading ACME account details
	323	Placing ACME order
	324	Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/11111111/22222222
	325
	326	Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333'
	327	The validation for example.proxmox.com is pending!
	328	[Wed Apr 22 09:25:30 CEST 2020] Using OVH endpoint: ovh-eu
	329	[Wed Apr 22 09:25:30 CEST 2020] Checking authentication
	330	[Wed Apr 22 09:25:30 CEST 2020] Consumer key is ok.
	331	[Wed Apr 22 09:25:31 CEST 2020] Adding record
	332	[Wed Apr 22 09:25:32 CEST 2020] Added, sleep 10 seconds.
	333	Add TXT record: _acme-challenge.example.proxmox.com
	334	Triggering validation
	335	Sleeping for 5 seconds
	336	Status is 'valid'!
	337	[Wed Apr 22 09:25:48 CEST 2020] Using OVH endpoint: ovh-eu
	338	[Wed Apr 22 09:25:48 CEST 2020] Checking authentication
	339	[Wed Apr 22 09:25:48 CEST 2020] Consumer key is ok.
	340	Remove TXT record: _acme-challenge.example.proxmox.com
	341
	342	All domains validated!
	343
	344	Creating CSR
	345	Checking order status
	346	Order is ready, finalizing order
	347	valid!
	348
	349	Downloading certificate
	350	Setting pveproxy certificate and key
	351	Restarting pveproxy
	352	Task OK
	353	----
a7dca4d1 TL	354
	355	[[sysadmin_certs_acme_switch_from_staging]]
	356	Example: Switching from the `staging` to the regular ACME directory
	357	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	358
	359	Changing the ACME directory for an account is unsupported, but as {pve}
	360	supports more than one account you can just create a new one with the
	361	production (trusted) ACME directory as endpoint. You can also deactivate the
	362	staging account and recreate it.
	363
	364	// TODO: add example with account screenshot here
	365
	366	.Example: Changing the `default` ACME account from `staging` to directory using `pvenode`
	367	----
	368	root@proxmox:~# pvenode acme account deactivate default
	369	Renaming account file from '/etc/pve/priv/acme/default' to '/etc/pve/priv/acme/_deactivated_default_4'
	370	Task OK
	371
	372	root@proxmox:~# pvenode acme account register default example@proxmox.com
	373	Directory endpoints:
	374	0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
	375	1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
	376	2) Custom
	377	Enter selection: 0
	378
	379	Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
	380	Do you agree to the above terms? [y\|N]y
	381	...
	382	Task OK
	383	----