[pve-docs.git] / certificate-management.adoc

[[sysadmin_certificate_management]]
Certificate Management
----------------------
ifdef::wiki[]
:pve-toplevel:
endif::wiki[]


Certificates for Intra-Cluster Communication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Each {PVE} cluster creates by default its own (self-signed) Certificate
Authority (CA) and generates a certificate for each node which gets signed by
the aforementioned CA. These certificates are used for encrypted communication
with the cluster's `pveproxy` service and the Shell/Console feature if SPICE is
used.

The CA certificate and key are stored in the xref:chapter_pmxcfs[Proxmox Cluster File System (pmxcfs)].


[[sysadmin_certs_api_gui]]
Certificates for API and Web GUI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The REST API and web GUI are provided by the `pveproxy` service, which runs on
each node.

You have the following options for the certificate used by `pveproxy`:

1. By default the node-specific certificate in
`/etc/pve/nodes/NODENAME/pve-ssl.pem` is used. This certificate is signed by
the cluster CA and therefore not automatically trusted by browsers and
operating systems.
2. use an externally provided certificate (e.g. signed by a commercial CA).
3. use ACME (Let's Encrypt) to get a trusted certificate with automatic
renewal, this is also integrated in the {pve} API and Webinterface.

For options 2 and 3 the file `/etc/pve/local/pveproxy-ssl.pem` (and
`/etc/pve/local/pveproxy-ssl.key`, which needs to be without password) is used.

NOTE: Keep in mind that `/etc/pve/local` is a node specific symlink to
`/etc/pve/nodes/NODENAME`.

Certificates are managed with the {PVE} Node management command
(see the `pvenode(1)` manpage).

WARNING: Do not replace or manually modify the automatically generated node
certificate files in `/etc/pve/local/pve-ssl.pem` and
`/etc/pve/local/pve-ssl.key` or the cluster CA files in
`/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.

[[sysadmin_certs_upload_custom]]
Upload Custom Certificate
~~~~~~~~~~~~~~~~~~~~~~~~~

If you already have a certificate which you want to use for a {pve} node you
can upload that certificate simply over the web interface.

[thumbnail="screenshot/gui-node-certs-upload-custom.png"]

Note that the certificates key file, if provided, mustn't be password
protected.

[[sysadmin_certs_get_trusted_acme_cert]]
Trusted certificates via Let's Encrypt (ACME)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

{PVE} includes an implementation of the **A**utomatic **C**ertificate
**M**anagement **E**nvironment **ACME** protocol, allowing {pve} admins to
interface with Let's Encrypt for easy setup of trusted TLS certificates which
are accepted out of the box on most modern operating systems and browsers.

Currently the two ACME endpoints implemented are the
https://letsencrypt.org[Let's Encrypt (LE)] production and its staging
environment. Our ACME client supports validation of `http-01` challenges using
a built-in webserver and validation of `dns-01` challenges using a DNS plugin
supporting all the DNS API endpoints https://acme.sh[acme.sh] does.

[[sysadmin_certs_acme_account]]
ACME Account
^^^^^^^^^^^^

[thumbnail="screenshot/gui-datacenter-acme-register-account.png"]

You need to register an ACME account per cluster with the endpoint you want to
use. The email address used for that account will server as contact point for
renewal-due or similar notifications from the ACME endpoint.

You can register and deactivate ACME accounts over the web interface
`Datacenter -> ACME` or using the `pvenode` command line tool.
----
 pvenode acme account register account-name mail@example.com
----

TIP: Because of https://letsencrypt.org/docs/rate-limits/[rate-limits] you
should use LE `staging` for experiments or if you use ACME for the first time.

[[sysadmin_certs_acme_plugins]]
ACME Plugins
^^^^^^^^^^^^

The ACME plugins task is to provide automatic verification that you, and thus
the {pve} cluster under your operation, are the real owner of a domain. This is
the basis building block for automatic certificate management.

The ACME protocol specifies different types of challenges, for example the
`http-01` where a webserver provides a file with a certain value to proof that
it controls a domain. Sometimes this isn't possible, either because of
technical limitations or if the address a domain points to is not reachable
from the public internet. For such cases one could use the `dns-01` challenge.
That challenge provides also a certain value, but not over a text file, but
through a DNS record on the authority name server of the domain.

[thumbnail="screenshot/gui-datacenter-acme-overview.png"]

{pve} supports both of those challenge types out of the box, you can configure
plugins either over the web interface under `Datacenter -> ACME`, or using the
`pvenode acme plugin add` command.

ACME Plugin configurations are stored in `/etc/pve/priv/acme/plugins.cfg`.
A plugin is available for all nodes in the cluster.

Node Domains
^^^^^^^^^^^^

Each domain is node specific. You can add new or manage existing domain entries
under `Node -> Certificates`, or using the `pvenode config` command.

[thumbnail="screenshot/gui-node-certs-add-domain.png"]

After configuring the desired domain(s) for a node and ensuring that the
desired ACME account is selected, you can order your new certificate over the
web-interface. On success the interface will reload after 10 seconds.

Renewal will happen xref:sysadmin_certs_acme_automatic_renewal[automatically].

[[sysadmin_certs_acme_http_challenge]]
ACME HTTP Challenge Plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~

There is always an implicitly configured `standalone` plugin for validating
`http-01` challenges via the built-in webserver spawned on port 80.

NOTE: The name `standalone` means that it can provide the validation on it's
own, without any third party service. So, this plugin works also for cluster
nodes.

There are a few prerequisites to use it for certificate management with Let's
Encrypts ACME.

* You have to accept the ToS of Let's Encrypt to register an account.
* **Port 80** of the node needs to be reachable from the internet.
* There **must** be no other listener on port 80.
* The requested (sub)domain needs to resolve to a public IP of the Node.


[[sysadmin_certs_acme_dns_challenge]]
ACME DNS API Challenge Plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On systems where external access for validation via the `http-01` method is
not possible or desired, it is possible to use the `dns-01` validation method.
This validation method requires a DNS server that allows provisioning of `TXT`
records via an API.

[[sysadmin_certs_acme_dns_api_config]]
Configuring ACME DNS APIs for validation
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

{PVE} re-uses the DNS plugins developed for the `acme.sh`
footnote:[acme.sh https://github.com/acmesh-official/acme.sh]
project, please refer to its documentation for details on configuration of
specific APIs.

The easiest way to configure a new plugin with the DNS API is using the web
interface (`Datacenter -> ACME`).

[thumbnail="screenshot/gui-datacenter-acme-add-dns-plugin.png"]

Choose `DNS` as challenge type. Then you can select your API provider, enter
the credential data to access your account over their API.

TIP: See the acme.sh
https://github.com/acmesh-official/acme.sh/wiki/dnsapi#how-to-use-dns-api[How to use DNS API]
wiki for more detailed information about getting API credentials for your
provider.

As there are so many API endpoints {pve} autogenerates the form for the
credentials, but not all providers are annotated yet. For those you will see a
bigger text area, simply copy all the credentials `KEY`=`VALUE` pairs in there.

DNS Validation through CNAME Alias
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

A special `alias` mode can be used to handle the validation on a different
domain/DNS server, in case your primary/real DNS does not support provisioning
via an API. Manually set up a permanent `CNAME` record for
`_acme-challenge.domain1.example` pointing to `_acme-challenge.domain2.example`
and set the `alias` property in the {PVE} node configuration file to
`domain2.example` to allow the DNS server of `domain2.example` to validate all
challenges for `domain1.example`.


Combination of Plugins
^^^^^^^^^^^^^^^^^^^^^^

Combining `http-01` and `dns-01` validation is possible in case your node is
reachable via multiple domains with different requirements / DNS provisioning
capabilities. Mixing DNS APIs from multiple providers or instances is also
possible by specifying different plugin instances per domain.

TIP: Accessing the same service over multiple domains increases complexity and
should be avoided if possible.

[[sysadmin_certs_acme_automatic_renewal]]
Automatic renewal of ACME certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If a node has been successfully configured with an ACME-provided certificate
(either via pvenode or via the GUI), the certificate will be automatically
renewed by the `pve-daily-update.service`. Currently, renewal will be attempted
if the certificate has expired already, or will expire in the next 30 days.


ACME Examples with `pvenode`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Example: Sample `pvenode` invocation for using Let's Encrypt certificates
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

----
root@proxmox:~# pvenode acme account register default mail@example.invalid
Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection: 1

Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you agree to the above terms? [y|N]y
...
Task OK
root@proxmox:~# pvenode config set --acme domains=example.invalid
root@proxmox:~# pvenode acme cert order
Loading ACME account details
Placing ACME order
...
Status is 'valid'!

All domains validated!
...
Downloading certificate
Setting pveproxy certificate and key
Restarting pveproxy
Task OK
----

Example: Setting up the OVH API for validating a domain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

NOTE: the account registration steps are the same no matter which plugins are
used, and are not repeated here.

NOTE: `OVH_AK` and `OVH_AS` need to be obtained from OVH according to the OVH
API documentation


First you need to get all information so you and {pve} can access the API.

----
root@proxmox:~# cat /path/to/api-token
OVH_AK=XXXXXXXXXXXXXXXX
OVH_AS=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
root@proxmox:~# source /path/to/api-token
root@proxmox:~# curl -XPOST -H"X-Ovh-Application: $OVH_AK" -H "Content-type: application/json" \
https://eu.api.ovh.com/1.0/auth/credential  -d '{
  "accessRules": [
    {"method": "GET","path": "/auth/time"},
    {"method": "GET","path": "/domain"},
    {"method": "GET","path": "/domain/zone/*"},
    {"method": "GET","path": "/domain/zone/*/record"},
    {"method": "POST","path": "/domain/zone/*/record"},
    {"method": "POST","path": "/domain/zone/*/refresh"},
    {"method": "PUT","path": "/domain/zone/*/record/"},
    {"method": "DELETE","path": "/domain/zone/*/record/*"}
]
}'
{"consumerKey":"ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ","state":"pendingValidation","validationUrl":"https://eu.api.ovh.com/auth/?credentialToken=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}

(open validation URL and follow instructions to link Application Key with account/Consumer Key)

root@proxmox:~# echo "OVH_CK=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ" >> /path/to/api-token
----

Now you can setup the the ACME plugin:

----
root@proxmox:~# pvenode acme plugin add dns example_plugin --api ovh --data /path/to/api_token
root@proxmox:~# pvenode acme plugin config example_plugin
┌────────┬──────────────────────────────────────────┐
│ key    │ value                                    │
╞════════╪══════════════════════════════════════════╡
│ api    │ ovh                                      │
├────────┼──────────────────────────────────────────┤
│ data   │ OVH_AK=XXXXXXXXXXXXXXXX                  │
│        │ OVH_AS=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY  │
│        │ OVH_CK=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ  │
├────────┼──────────────────────────────────────────┤
│ digest │ 867fcf556363ca1bea866863093fcab83edf47a1 │
├────────┼──────────────────────────────────────────┤
│ plugin │ example_plugin                           │
├────────┼──────────────────────────────────────────┤
│ type   │ dns                                      │
└────────┴──────────────────────────────────────────┘
----

At last you can configure the domain you want to get certitficates for and
place the certificate order for it:

----
root@proxmox:~# pvenode config set -acmedomain0 example.proxmox.com,plugin=example_plugin
root@proxmox:~# pvenode acme cert order
Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/11111111/22222222

Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333'
The validation for example.proxmox.com is pending!
[Wed Apr 22 09:25:30 CEST 2020] Using OVH endpoint: ovh-eu
[Wed Apr 22 09:25:30 CEST 2020] Checking authentication
[Wed Apr 22 09:25:30 CEST 2020] Consumer key is ok.
[Wed Apr 22 09:25:31 CEST 2020] Adding record
[Wed Apr 22 09:25:32 CEST 2020] Added, sleep 10 seconds.
Add TXT record: _acme-challenge.example.proxmox.com
Triggering validation
Sleeping for 5 seconds
Status is 'valid'!
[Wed Apr 22 09:25:48 CEST 2020] Using OVH endpoint: ovh-eu
[Wed Apr 22 09:25:48 CEST 2020] Checking authentication
[Wed Apr 22 09:25:48 CEST 2020] Consumer key is ok.
Remove TXT record: _acme-challenge.example.proxmox.com

All domains validated!

Creating CSR
Checking order status
Order is ready, finalizing order
valid!

Downloading certificate
Setting pveproxy certificate and key
Restarting pveproxy
Task OK
----

[[sysadmin_certs_acme_switch_from_staging]]
Example: Switching from the `staging` to the regular ACME directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Changing the ACME directory for an account is unsupported, but as {pve}
supports more than one account you can just create a new one with the
production (trusted) ACME directory as endpoint.  You can also deactivate the
staging account and recreate it.

// TODO: add example with account screenshot here

.Example: Changing the `default` ACME account from `staging` to directory using `pvenode`
----
root@proxmox:~# pvenode acme account deactivate default
Renaming account file from '/etc/pve/priv/acme/default' to '/etc/pve/priv/acme/_deactivated_default_4'
Task OK

root@proxmox:~# pvenode acme account register default example@proxmox.com
Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection: 0

Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you agree to the above terms? [y|N]y
...
Task OK
----
Commit	Line	Data
	1	[[sysadmin_certificate_management]]
	2	Certificate Management
	3	----------------------
	4	ifdef::wiki[]
	5	:pve-toplevel:
	6	endif::wiki[]
	7
	8
	9	Certificates for Intra-Cluster Communication
	10	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	11
	12	Each {PVE} cluster creates by default its own (self-signed) Certificate
	13	Authority (CA) and generates a certificate for each node which gets signed by
	14	the aforementioned CA. These certificates are used for encrypted communication
	15	with the cluster's `pveproxy` service and the Shell/Console feature if SPICE is
	16	used.
	17
	18	The CA certificate and key are stored in the xref:chapter_pmxcfs[Proxmox Cluster File System (pmxcfs)].
	19
	20
	21	[[sysadmin_certs_api_gui]]
	22	Certificates for API and Web GUI
	23	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	24
	25	The REST API and web GUI are provided by the `pveproxy` service, which runs on
	26	each node.
	27
	28	You have the following options for the certificate used by `pveproxy`:
	29
	30	1. By default the node-specific certificate in
	31	`/etc/pve/nodes/NODENAME/pve-ssl.pem` is used. This certificate is signed by
	32	the cluster CA and therefore not automatically trusted by browsers and
	33	operating systems.
	34	2. use an externally provided certificate (e.g. signed by a commercial CA).
	35	3. use ACME (Let's Encrypt) to get a trusted certificate with automatic
	36	renewal, this is also integrated in the {pve} API and Webinterface.
	37
	38	For options 2 and 3 the file `/etc/pve/local/pveproxy-ssl.pem` (and
	39	`/etc/pve/local/pveproxy-ssl.key`, which needs to be without password) is used.
	40
	41	NOTE: Keep in mind that `/etc/pve/local` is a node specific symlink to
	42	`/etc/pve/nodes/NODENAME`.
	43
	44	Certificates are managed with the {PVE} Node management command
	45	(see the `pvenode(1)` manpage).
	46
	47	WARNING: Do not replace or manually modify the automatically generated node
	48	certificate files in `/etc/pve/local/pve-ssl.pem` and
	49	`/etc/pve/local/pve-ssl.key` or the cluster CA files in
	50	`/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.
	51
	52	[[sysadmin_certs_upload_custom]]
	53	Upload Custom Certificate
	54	~~~~~~~~~~~~~~~~~~~~~~~~~
	55
	56	If you already have a certificate which you want to use for a {pve} node you
	57	can upload that certificate simply over the web interface.
	58
	59	[thumbnail="screenshot/gui-node-certs-upload-custom.png"]
	60
	61	Note that the certificates key file, if provided, mustn't be password
	62	protected.
	63
	64	[[sysadmin_certs_get_trusted_acme_cert]]
	65	Trusted certificates via Let's Encrypt (ACME)
	66	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	67
	68	{PVE} includes an implementation of the Automatic Certificate
	69	Management Environment ACME protocol, allowing {pve} admins to
	70	interface with Let's Encrypt for easy setup of trusted TLS certificates which
	71	are accepted out of the box on most modern operating systems and browsers.
	72
	73	Currently the two ACME endpoints implemented are the
	74	https://letsencrypt.org[Let's Encrypt (LE)] production and its staging
	75	environment. Our ACME client supports validation of `http-01` challenges using
	76	a built-in webserver and validation of `dns-01` challenges using a DNS plugin
	77	supporting all the DNS API endpoints https://acme.sh[acme.sh] does.
	78
	79	[[sysadmin_certs_acme_account]]
	80	ACME Account
	81	^^^^^^^^^^^^
	82
	83	[thumbnail="screenshot/gui-datacenter-acme-register-account.png"]
	84
	85	You need to register an ACME account per cluster with the endpoint you want to
	86	use. The email address used for that account will server as contact point for
	87	renewal-due or similar notifications from the ACME endpoint.
	88
	89	You can register and deactivate ACME accounts over the web interface
	90	`Datacenter -> ACME` or using the `pvenode` command line tool.
	91	----
	92	pvenode acme account register account-name mail@example.com
	93	----
	94
	95	TIP: Because of https://letsencrypt.org/docs/rate-limits/[rate-limits] you
	96	should use LE `staging` for experiments or if you use ACME for the first time.
	97
	98	[[sysadmin_certs_acme_plugins]]
	99	ACME Plugins
	100	^^^^^^^^^^^^
	101
	102	The ACME plugins task is to provide automatic verification that you, and thus
	103	the {pve} cluster under your operation, are the real owner of a domain. This is
	104	the basis building block for automatic certificate management.
	105
	106	The ACME protocol specifies different types of challenges, for example the
	107	`http-01` where a webserver provides a file with a certain value to proof that
	108	it controls a domain. Sometimes this isn't possible, either because of
	109	technical limitations or if the address a domain points to is not reachable
	110	from the public internet. For such cases one could use the `dns-01` challenge.
	111	That challenge provides also a certain value, but not over a text file, but
	112	through a DNS record on the authority name server of the domain.
	113
	114	[thumbnail="screenshot/gui-datacenter-acme-overview.png"]
	115
	116	{pve} supports both of those challenge types out of the box, you can configure
	117	plugins either over the web interface under `Datacenter -> ACME`, or using the
	118	`pvenode acme plugin add` command.
	119
	120	ACME Plugin configurations are stored in `/etc/pve/priv/acme/plugins.cfg`.
	121	A plugin is available for all nodes in the cluster.
	122
	123	Node Domains
	124	^^^^^^^^^^^^
	125
	126	Each domain is node specific. You can add new or manage existing domain entries
	127	under `Node -> Certificates`, or using the `pvenode config` command.
	128
	129	[thumbnail="screenshot/gui-node-certs-add-domain.png"]
	130
	131	After configuring the desired domain(s) for a node and ensuring that the
	132	desired ACME account is selected, you can order your new certificate over the
	133	web-interface. On success the interface will reload after 10 seconds.
	134
	135	Renewal will happen xref:sysadmin_certs_acme_automatic_renewal[automatically].
	136
	137	[[sysadmin_certs_acme_http_challenge]]
	138	ACME HTTP Challenge Plugin
	139	~~~~~~~~~~~~~~~~~~~~~~~~~~
	140
	141	There is always an implicitly configured `standalone` plugin for validating
	142	`http-01` challenges via the built-in webserver spawned on port 80.
	143
	144	NOTE: The name `standalone` means that it can provide the validation on it's
	145	own, without any third party service. So, this plugin works also for cluster
	146	nodes.
	147
	148	There are a few prerequisites to use it for certificate management with Let's
	149	Encrypts ACME.
	150
	151	* You have to accept the ToS of Let's Encrypt to register an account.
	152	* Port 80 of the node needs to be reachable from the internet.
	153	* There must be no other listener on port 80.
	154	* The requested (sub)domain needs to resolve to a public IP of the Node.
	155
	156
	157	[[sysadmin_certs_acme_dns_challenge]]
	158	ACME DNS API Challenge Plugin
	159	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	160
	161	On systems where external access for validation via the `http-01` method is
	162	not possible or desired, it is possible to use the `dns-01` validation method.
	163	This validation method requires a DNS server that allows provisioning of `TXT`
	164	records via an API.
	165
	166	[[sysadmin_certs_acme_dns_api_config]]
	167	Configuring ACME DNS APIs for validation
	168	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	169
	170	{PVE} re-uses the DNS plugins developed for the `acme.sh`
	171	footnote:[acme.sh https://github.com/acmesh-official/acme.sh]
	172	project, please refer to its documentation for details on configuration of
	173	specific APIs.
	174
	175	The easiest way to configure a new plugin with the DNS API is using the web
	176	interface (`Datacenter -> ACME`).
	177
	178	[thumbnail="screenshot/gui-datacenter-acme-add-dns-plugin.png"]
	179
	180	Choose `DNS` as challenge type. Then you can select your API provider, enter
	181	the credential data to access your account over their API.
	182
	183	TIP: See the acme.sh
	184	https://github.com/acmesh-official/acme.sh/wiki/dnsapi#how-to-use-dns-api[How to use DNS API]
	185	wiki for more detailed information about getting API credentials for your
	186	provider.
	187
	188	As there are so many API endpoints {pve} autogenerates the form for the
	189	credentials, but not all providers are annotated yet. For those you will see a
	190	bigger text area, simply copy all the credentials `KEY`=`VALUE` pairs in there.
	191
	192	DNS Validation through CNAME Alias
	193	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	194
	195	A special `alias` mode can be used to handle the validation on a different
	196	domain/DNS server, in case your primary/real DNS does not support provisioning
	197	via an API. Manually set up a permanent `CNAME` record for
	198	`_acme-challenge.domain1.example` pointing to `_acme-challenge.domain2.example`
	199	and set the `alias` property in the {PVE} node configuration file to
	200	`domain2.example` to allow the DNS server of `domain2.example` to validate all
	201	challenges for `domain1.example`.
	202
	203
	204	Combination of Plugins
	205	^^^^^^^^^^^^^^^^^^^^^^
	206
	207	Combining `http-01` and `dns-01` validation is possible in case your node is
	208	reachable via multiple domains with different requirements / DNS provisioning
	209	capabilities. Mixing DNS APIs from multiple providers or instances is also
	210	possible by specifying different plugin instances per domain.
	211
	212	TIP: Accessing the same service over multiple domains increases complexity and
	213	should be avoided if possible.
	214
	215	[[sysadmin_certs_acme_automatic_renewal]]
	216	Automatic renewal of ACME certificates
	217	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	218
	219	If a node has been successfully configured with an ACME-provided certificate
	220	(either via pvenode or via the GUI), the certificate will be automatically
	221	renewed by the `pve-daily-update.service`. Currently, renewal will be attempted
	222	if the certificate has expired already, or will expire in the next 30 days.
	223
	224
	225	ACME Examples with `pvenode`
	226	~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	227
	228	Example: Sample `pvenode` invocation for using Let's Encrypt certificates
	229	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	230
	231	----
	232	root@proxmox:~# pvenode acme account register default mail@example.invalid
	233	Directory endpoints:
	234	0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
	235	1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
	236	2) Custom
	237	Enter selection: 1
	238
	239	Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
	240	Do you agree to the above terms? [y\|N]y
	241	...
	242	Task OK
	243	root@proxmox:~# pvenode config set --acme domains=example.invalid
	244	root@proxmox:~# pvenode acme cert order
	245	Loading ACME account details
	246	Placing ACME order
	247	...
	248	Status is 'valid'!
	249
	250	All domains validated!
	251	...
	252	Downloading certificate
	253	Setting pveproxy certificate and key
	254	Restarting pveproxy
	255	Task OK
	256	----
	257
	258	Example: Setting up the OVH API for validating a domain
	259	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	260
	261	NOTE: the account registration steps are the same no matter which plugins are
	262	used, and are not repeated here.
	263
	264	NOTE: `OVH_AK` and `OVH_AS` need to be obtained from OVH according to the OVH
	265	API documentation
	266
	267
	268	First you need to get all information so you and {pve} can access the API.
	269
	270	----
	271	root@proxmox:~# cat /path/to/api-token
	272	OVH_AK=XXXXXXXXXXXXXXXX
	273	OVH_AS=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
	274	root@proxmox:~# source /path/to/api-token
	275	root@proxmox:~# curl -XPOST -H"X-Ovh-Application: $OVH_AK" -H "Content-type: application/json" \
	276	https://eu.api.ovh.com/1.0/auth/credential -d '{
	277	"accessRules": [
	278	{"method": "GET","path": "/auth/time"},
	279	{"method": "GET","path": "/domain"},
	280	{"method": "GET","path": "/domain/zone/*"},
	281	{"method": "GET","path": "/domain/zone/*/record"},
	282	{"method": "POST","path": "/domain/zone/*/record"},
	283	{"method": "POST","path": "/domain/zone/*/refresh"},
	284	{"method": "PUT","path": "/domain/zone/*/record/"},
	285	{"method": "DELETE","path": "/domain/zone//record/"}
	286	]
	287	}'
	288	{"consumerKey":"ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ","state":"pendingValidation","validationUrl":"https://eu.api.ovh.com/auth/?credentialToken=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
	289
	290	(open validation URL and follow instructions to link Application Key with account/Consumer Key)
	291
	292	root@proxmox:~# echo "OVH_CK=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ" >> /path/to/api-token
	293	----
	294
	295	Now you can setup the the ACME plugin:
	296
	297	----
	298	root@proxmox:~# pvenode acme plugin add dns example_plugin --api ovh --data /path/to/api_token
	299	root@proxmox:~# pvenode acme plugin config example_plugin
	300	┌────────┬──────────────────────────────────────────┐
	301	│ key │ value │
	302	╞════════╪══════════════════════════════════════════╡
	303	│ api │ ovh │
	304	├────────┼──────────────────────────────────────────┤
	305	│ data │ OVH_AK=XXXXXXXXXXXXXXXX │
	306	│ │ OVH_AS=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY │
	307	│ │ OVH_CK=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ │
	308	├────────┼──────────────────────────────────────────┤
	309	│ digest │ 867fcf556363ca1bea866863093fcab83edf47a1 │
	310	├────────┼──────────────────────────────────────────┤
	311	│ plugin │ example_plugin │
	312	├────────┼──────────────────────────────────────────┤
	313	│ type │ dns │
	314	└────────┴──────────────────────────────────────────┘
	315	----
	316
	317	At last you can configure the domain you want to get certitficates for and
	318	place the certificate order for it:
	319
	320	----
	321	root@proxmox:~# pvenode config set -acmedomain0 example.proxmox.com,plugin=example_plugin
	322	root@proxmox:~# pvenode acme cert order
	323	Loading ACME account details
	324	Placing ACME order
	325	Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/11111111/22222222
	326
	327	Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333'
	328	The validation for example.proxmox.com is pending!
	329	[Wed Apr 22 09:25:30 CEST 2020] Using OVH endpoint: ovh-eu
	330	[Wed Apr 22 09:25:30 CEST 2020] Checking authentication
	331	[Wed Apr 22 09:25:30 CEST 2020] Consumer key is ok.
	332	[Wed Apr 22 09:25:31 CEST 2020] Adding record
	333	[Wed Apr 22 09:25:32 CEST 2020] Added, sleep 10 seconds.
	334	Add TXT record: _acme-challenge.example.proxmox.com
	335	Triggering validation
	336	Sleeping for 5 seconds
	337	Status is 'valid'!
	338	[Wed Apr 22 09:25:48 CEST 2020] Using OVH endpoint: ovh-eu
	339	[Wed Apr 22 09:25:48 CEST 2020] Checking authentication
	340	[Wed Apr 22 09:25:48 CEST 2020] Consumer key is ok.
	341	Remove TXT record: _acme-challenge.example.proxmox.com
	342
	343	All domains validated!
	344
	345	Creating CSR
	346	Checking order status
	347	Order is ready, finalizing order
	348	valid!
	349
	350	Downloading certificate
	351	Setting pveproxy certificate and key
	352	Restarting pveproxy
	353	Task OK
	354	----
	355
	356	[[sysadmin_certs_acme_switch_from_staging]]
	357	Example: Switching from the `staging` to the regular ACME directory
	358	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	359
	360	Changing the ACME directory for an account is unsupported, but as {pve}
	361	supports more than one account you can just create a new one with the
	362	production (trusted) ACME directory as endpoint. You can also deactivate the
	363	staging account and recreate it.
	364
	365	// TODO: add example with account screenshot here
	366
	367	.Example: Changing the `default` ACME account from `staging` to directory using `pvenode`
	368	----
	369	root@proxmox:~# pvenode acme account deactivate default
	370	Renaming account file from '/etc/pve/priv/acme/default' to '/etc/pve/priv/acme/_deactivated_default_4'
	371	Task OK
	372
	373	root@proxmox:~# pvenode acme account register default example@proxmox.com
	374	Directory endpoints:
	375	0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
	376	1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
	377	2) Custom
	378	Enter selection: 0
	379
	380	Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
	381	Do you agree to the above terms? [y\|N]y
	382	...
	383	Task OK
	384	----