[pve-docs.git] / certificate-managment.adoc

[[sysadmin_certificate_management]]
Certificate Management
----------------------
ifdef::wiki[]
:pve-toplevel:
endif::wiki[]


Certificates for communication within the cluster
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Each {PVE} cluster creates its own internal Certificate Authority (CA) and
generates a self-signed certificate for each node. These certificates are used
for encrypted communication with the cluster's pveproxy service and the
Shell/Console feature if SPICE is used.

The CA certificate and key are stored in the `pmxcfs` (see the `pmxcfs(8)`
manpage).

Certificates for API and web GUI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The REST API and web GUI are provided by the `pveproxy` service, which runs on
each node.

You have the following options for the certificate used by `pveproxy`:

1. By default the node-specific certificate in
`/etc/pve/nodes/NODENAME/pve-ssl.pem` is used. This certificate is signed by
the cluster CA and therefore not trusted by browsers and operating systems by
default.
2. use an externally provided certificate (e.g. signed by a commercial CA).
3. use ACME (e.g., Let's Encrypt) to get a trusted certificate with automatic renewal.

For options 2 and 3 the file `/etc/pve/local/pveproxy-ssl.pem` (and
`/etc/pve/local/pveproxy-ssl.key`, which needs to be without password) is used.

Certificates are managed with the {PVE} Node management command
(see the `pvenode(1)` manpage).

WARNING: Do not replace or manually modify the automatically generated node
certificate files in `/etc/pve/local/pve-ssl.pem` and
`/etc/pve/local/pve-ssl.key` or the cluster CA files in
`/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.

Getting trusted certificates via ACME
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
{PVE} includes an implementation of the **A**utomatic **C**ertificate
**M**anagement **E**nvironment **ACME** protocol, allowing {pve} admins to
interface with Let's Encrypt for easy setup of trusted TLS certificates which
are accepted out of the box on most modern operating systems and browsers.

Currently the two ACME endpoints implemented are Let's Encrypt (LE) and its
staging environment (see https://letsencrypt.org), both using the standalone
HTTP challenge.

Because of https://letsencrypt.org/docs/rate-limits/[rate-limits] you should use
LE `staging` for experiments.

There are a few prerequisites to use Let's Encrypt:

1. **Port 80** of the node needs to be reachable from the internet.
2. There **must** be no other listener on port 80.
3. The requested (sub)domain needs to resolve to a public IP of the Node.
4. You have to accept the ToS of Let's Encrypt.

At the moment the GUI uses only the default ACME account.

.Example: Sample `pvenode` invocation for using Let's Encrypt certificates

-----------------
root@proxmox:~# pvenode acme account register default mail@example.invalid
Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection:
1

Attempting to fetch Terms of Service from 'https://acme-staging-v02.api.letsencrypt.org/directory'..
Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you agree to the above terms? [y|N]y

Attempting to register account with 'https://acme-staging-v02.api.letsencrypt.org/directory'..
Generating ACME account key..
Registering ACME account..
Registration successful, account URL: 'https://acme-staging-v02.api.letsencrypt.org/acme/acct/xxxxxxx'
Task OK
root@proxmox:~# pvenode acme account list
default
root@proxmox:~# pvenode config set --acme domains=example.invalid
root@proxmox:~# pvenode acme cert order
Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/xxxxxxxxxxxxxx

Getting authorization details from
'https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxx-xxxxxxx'
... pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds
Status is 'valid'!

All domains validated!

Creating CSR
Finalizing order
Checking order status
valid!

Downloading certificate
Setting pveproxy certificate and key
Restarting pveproxy
Task OK
-----------------

Automatic renewal of ACME certificates
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If a node has been successfully configured with an ACME-provided certificate
(either via pvenode or via the GUI), the certificate will be automatically
renewed by the pve-daily-update.service. Currently, renewal will be attempted
if the certificate has expired or will expire in the next 30 days.
Commit	Line	Data
aeecd9ea SI	1	[[sysadmin_certificate_management]]
	2	Certificate Management
	3	----------------------
	4	ifdef::wiki[]
	5	:pve-toplevel:
	6	endif::wiki[]
	7
	8
	9	Certificates for communication within the cluster
	10	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	11
0e9c6c13 FG	12	Each {PVE} cluster creates its own internal Certificate Authority (CA) and
	13	generates a self-signed certificate for each node. These certificates are used
	14	for encrypted communication with the cluster's pveproxy service and the
	15	Shell/Console feature if SPICE is used.
aeecd9ea SI	16
	17	The CA certificate and key are stored in the `pmxcfs` (see the `pmxcfs(8)`
	18	manpage).
	19
	20	Certificates for API and web GUI
	21	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	22
0e9c6c13 FG	23	The REST API and web GUI are provided by the `pveproxy` service, which runs on
0e9c6c13 FG	24	each node.
aeecd9ea SI	25
	26	You have the following options for the certificate used by `pveproxy`:
	27
0e9c6c13 FG	28	1. By default the node-specific certificate in
	29	`/etc/pve/nodes/NODENAME/pve-ssl.pem` is used. This certificate is signed by
	30	the cluster CA and therefore not trusted by browsers and operating systems by
	31	default.
	32	2. use an externally provided certificate (e.g. signed by a commercial CA).
	33	3. use ACME (e.g., Let's Encrypt) to get a trusted certificate with automatic renewal.
aeecd9ea	34
0e9c6c13	35	For options 2 and 3 the file `/etc/pve/local/pveproxy-ssl.pem` (and
aeecd9ea SI	36	`/etc/pve/local/pveproxy-ssl.key`, which needs to be without password) is used.
	37
	38	Certificates are managed with the {PVE} Node management command
	39	(see the `pvenode(1)` manpage).
	40
0e9c6c13 FG	41	WARNING: Do not replace or manually modify the automatically generated node
	42	certificate files in `/etc/pve/local/pve-ssl.pem` and
	43	`/etc/pve/local/pve-ssl.key` or the cluster CA files in
	44	`/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.
aeecd9ea SI	45
	46	Getting trusted certificates via ACME
	47	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	48	{PVE} includes an implementation of the Automatic Certificate
	49	Management Environment ACME protocol, allowing {pve} admins to
0e9c6c13 FG	50	interface with Let's Encrypt for easy setup of trusted TLS certificates which
0e9c6c13 FG	51	are accepted out of the box on most modern operating systems and browsers.
aeecd9ea SI	52
	53	Currently the two ACME endpoints implemented are Let's Encrypt (LE) and its
	54	staging environment (see https://letsencrypt.org), both using the standalone
	55	HTTP challenge.
	56
	57	Because of https://letsencrypt.org/docs/rate-limits/[rate-limits] you should use
	58	LE `staging` for experiments.
	59
	60	There are a few prerequisites to use Let's Encrypt:
	61
	62	1. Port 80 of the node needs to be reachable from the internet.
	63	2. There must be no other listener on port 80.
0e9c6c13	64	3. The requested (sub)domain needs to resolve to a public IP of the Node.
aeecd9ea SI	65	4. You have to accept the ToS of Let's Encrypt.
	66
	67	At the moment the GUI uses only the default ACME account.
	68
	69	.Example: Sample `pvenode` invocation for using Let's Encrypt certificates
	70
	71	-----------------
	72	root@proxmox:~# pvenode acme account register default mail@example.invalid
	73	Directory endpoints:
	74	0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
	75	1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
	76	2) Custom
	77	Enter selection:
	78	1
	79
	80	Attempting to fetch Terms of Service from 'https://acme-staging-v02.api.letsencrypt.org/directory'..
	81	Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
	82	Do you agree to the above terms? [y\|N]y
	83
	84	Attempting to register account with 'https://acme-staging-v02.api.letsencrypt.org/directory'..
	85	Generating ACME account key..
	86	Registering ACME account..
	87	Registration successful, account URL: 'https://acme-staging-v02.api.letsencrypt.org/acme/acct/xxxxxxx'
	88	Task OK
	89	root@proxmox:~# pvenode acme account list
	90	default
	91	root@proxmox:~# pvenode config set --acme domains=example.invalid
	92	root@proxmox:~# pvenode acme cert order
	93	Loading ACME account details
	94	Placing ACME order
	95	Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/xxxxxxxxxxxxxx
	96
	97	Getting authorization details from
	98	'https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxx-xxxxxxx'
	99	... pending!
	100	Setting up webserver
	101	Triggering validation
	102	Sleeping for 5 seconds
	103	Status is 'valid'!
	104
	105	All domains validated!
	106
	107	Creating CSR
	108	Finalizing order
	109	Checking order status
	110	valid!
	111
	112	Downloading certificate
	113	Setting pveproxy certificate and key
	114	Restarting pveproxy
	115	Task OK
	116	-----------------
0e9c6c13 FG	117
	118	Automatic renewal of ACME certificates
	119	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	120
	121	If a node has been successfully configured with an ACME-provided certificate
	122	(either via pvenode or via the GUI), the certificate will be automatically
	123	renewed by the pve-daily-update.service. Currently, renewal will be attempted
	124	if the certificate has expired or will expire in the next 30 days.