endif::wiki[]
-Certificates for communication within the cluster
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Certificates for Intra-Cluster Communication
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Each {PVE} cluster creates its own (self-signed) Certificate Authority (CA) and
-generates a certificate for each node which gets signed by the aforementioned
-CA. These certificates are used for encrypted communication with the cluster's
-`pveproxy` service and the Shell/Console feature if SPICE is used.
+Each {PVE} cluster creates by default its own (self-signed) Certificate
+Authority (CA) and generates a certificate for each node which gets signed by
+the aforementioned CA. These certificates are used for encrypted communication
+with the cluster's `pveproxy` service and the Shell/Console feature if SPICE is
+used.
The CA certificate and key are stored in the xref:chapter_pmxcfs[Proxmox Cluster File System (pmxcfs)].
-Certificates for API and web GUI
+[[sysadmin_certs_api_gui]]
+Certificates for API and Web GUI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The REST API and web GUI are provided by the `pveproxy` service, which runs on
operating systems.
2. use an externally provided certificate (e.g. signed by a commercial CA).
3. use ACME (Let's Encrypt) to get a trusted certificate with automatic
-renewal, this is also integrated in the {pve} API and Webinterface.
+renewal, this is also integrated in the {pve} API and web interface.
For options 2 and 3 the file `/etc/pve/local/pveproxy-ssl.pem` (and
`/etc/pve/local/pveproxy-ssl.key`, which needs to be without password) is used.
`/etc/pve/local/pve-ssl.key` or the cluster CA files in
`/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.
+[[sysadmin_certs_upload_custom]]
+Upload Custom Certificate
+~~~~~~~~~~~~~~~~~~~~~~~~~
-Getting trusted certificates via ACME
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+If you already have a certificate which you want to use for a {pve} node you
+can upload that certificate simply over the web interface.
-{PVE} includes an implementation of the **A**utomatic **C**ertificate
-**M**anagement **E**nvironment **ACME** protocol, allowing {pve} admins to
-interface with Let's Encrypt for easy setup of trusted TLS certificates which
-are accepted out of the box on most modern operating systems and browsers.
-
-Currently the two ACME endpoints implemented are Let's Encrypt (LE) and its
-staging environment (see https://letsencrypt.org). Our ACME client supports
-validation of `http-01` challenges using a built-in webserver and validation of
-`dns-01` challenges using a DNS plugin.
+[thumbnail="screenshot/gui-node-certs-upload-custom.png"]
-Because of https://letsencrypt.org/docs/rate-limits/[rate-limits] you should use
-LE `staging` for experiments.
+Note that the certificates key file, if provided, mustn't be password
+protected.
-ACME Plugin configuration is stored in `/etc/pve/priv/acme/plugins.cfg`. There
-is always an implicitly configured `standalone` plugin for validating `http-01`
-challenges via the built-in webserver spawned on port 80.
+[[sysadmin_certs_get_trusted_acme_cert]]
+Trusted certificates via Let's Encrypt (ACME)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-There are a few prerequisites to use Let's Encrypt:
-
-* You have to accept the ToS of Let's Encrypt to register an account.
-
-For `http-01` challenges:
-
-* **Port 80** of the node needs to be reachable from the internet.
-* There **must** be no other listener on port 80.
-* The requested (sub)domain needs to resolve to a public IP of the Node.
+{PVE} includes an implementation of the **A**utomatic **C**ertificate
+**M**anagement **E**nvironment **ACME** protocol, allowing {pve} admins to
+use an ACME provider like Let's Encrypt for easy setup of TLS certificates
+which are accepted and trusted on modern operating systems and web browsers
+out of the box.
-For `dns-01` challenges:
+Currently, the two ACME endpoints implemented are the
+https://letsencrypt.org[Let's Encrypt (LE)] production and its staging
+environment. Our ACME client supports validation of `http-01` challenges using
+a built-in web server and validation of `dns-01` challenges using a DNS plugin
+supporting all the DNS API endpoints https://acme.sh[acme.sh] does.
-* DNS needs to be handled by a server that allows automatic provisioning of
-TXT records
+[[sysadmin_certs_acme_account]]
+ACME Account
+^^^^^^^^^^^^
-At the moment the GUI uses only the default ACME account.
+[thumbnail="screenshot/gui-datacenter-acme-register-account.png"]
-.Example: Sample `pvenode` invocation for using Let's Encrypt certificates
+You need to register an ACME account per cluster with the endpoint you want to
+use. The email address used for that account will serve as contact point for
+renewal-due or similar notifications from the ACME endpoint.
+You can register and deactivate ACME accounts over the web interface
+`Datacenter -> ACME` or using the `pvenode` command-line tool.
+----
+ pvenode acme account register account-name mail@example.com
----
-root@proxmox:~# pvenode acme account register default mail@example.invalid
-Directory endpoints:
-0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
-1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
-2) Custom
-Enter selection:
-1
-Attempting to fetch Terms of Service from 'https://acme-staging-v02.api.letsencrypt.org/directory'..
-Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
-Do you agree to the above terms? [y|N]y
+TIP: Because of https://letsencrypt.org/docs/rate-limits/[rate-limits] you
+should use LE `staging` for experiments or if you use ACME for the first time.
-Attempting to register account with 'https://acme-staging-v02.api.letsencrypt.org/directory'..
-Generating ACME account key..
-Registering ACME account..
-Registration successful, account URL: 'https://acme-staging-v02.api.letsencrypt.org/acme/acct/xxxxxxx'
-Task OK
-root@proxmox:~# pvenode acme account list
-default
-root@proxmox:~# pvenode config set --acme domains=example.invalid
-root@proxmox:~# pvenode acme cert order
-Loading ACME account details
-Placing ACME order
-Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/xxxxxxxxxxxxxx
+[[sysadmin_certs_acme_plugins]]
+ACME Plugins
+^^^^^^^^^^^^
-Getting authorization details from
-'https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxx-xxxxxxx'
-... pending!
-Setting up webserver
-Triggering validation
-Sleeping for 5 seconds
-Status is 'valid'!
+The ACME plugins task is to provide automatic verification that you, and thus
+the {pve} cluster under your operation, are the real owner of a domain. This is
+the basis building block for automatic certificate management.
-All domains validated!
+The ACME protocol specifies different types of challenges, for example the
+`http-01` where a web server provides a file with a certain content to prove
+that it controls a domain. Sometimes this isn't possible, either because of
+technical limitations or if the address of a record to is not reachable from
+the public internet. The `dns-01` challenge can be used in these cases. This
+challenge is fulfilled by creating a certain DNS record in the domain's zone.
-Creating CSR
-Finalizing order
-Checking order status
-valid!
+[thumbnail="screenshot/gui-datacenter-acme-overview.png"]
-Downloading certificate
-Setting pveproxy certificate and key
-Restarting pveproxy
-Task OK
-----
+{pve} supports both of those challenge types out of the box, you can configure
+plugins either over the web interface under `Datacenter -> ACME`, or using the
+`pvenode acme plugin add` command.
-Switching from the `staging` to the regular ACME directory
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ACME Plugin configurations are stored in `/etc/pve/priv/acme/plugins.cfg`.
+A plugin is available for all nodes in the cluster.
-Changing the ACME directory for an account is unsupported. If you want to switch
-an account from the `staging` ACME directory to the regular, trusted, one you
-need to deactivate it and recreate it.
+Node Domains
+^^^^^^^^^^^^
-This procedure is also needed to change the default ACME account used in the GUI.
+Each domain is node specific. You can add new or manage existing domain entries
+under `Node -> Certificates`, or using the `pvenode config` command.
-.Example: Changing the `default` ACME account from the `staging` to the regular directory
+[thumbnail="screenshot/gui-node-certs-add-domain.png"]
-----
-root@proxmox:~# pvenode acme account info default
-Directory URL: https://acme-staging-v02.api.letsencrypt.org/directory
-Account URL: https://acme-staging-v02.api.letsencrypt.org/acme/acct/6332194
-Terms Of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
-
-Account information:
-ID: xxxxxxx
-Contact:
- - mailto:example@proxmox.com
-Creation date: 2018-07-31T08:41:44.54196435Z
-Initial IP: 192.0.2.1
-Status: valid
+After configuring the desired domain(s) for a node and ensuring that the
+desired ACME account is selected, you can order your new certificate over the
+web interface. On success the interface will reload after 10 seconds.
-root@proxmox:~# pvenode acme account deactivate default
-Renaming account file from '/etc/pve/priv/acme/default' to '/etc/pve/priv/acme/_deactivated_default_4'
-Task OK
+Renewal will happen xref:sysadmin_certs_acme_automatic_renewal[automatically].
-root@proxmox:~# pvenode acme account register default example@proxmox.com
-Directory endpoints:
-0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
-1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
-2) Custom
-Enter selection:
-0
+[[sysadmin_certs_acme_http_challenge]]
+ACME HTTP Challenge Plugin
+~~~~~~~~~~~~~~~~~~~~~~~~~~
-Attempting to fetch Terms of Service from 'https://acme-v02.api.letsencrypt.org/directory'..
-Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
-Do you agree to the above terms? [y|N]y
+There is always an implicitly configured `standalone` plugin for validating
+`http-01` challenges via the built-in webserver spawned on port 80.
-Attempting to register account with 'https://acme-v02.api.letsencrypt.org/directory'..
-Generating ACME account key..
-Registering ACME account..
-Registration successful, account URL: 'https://acme-v02.api.letsencrypt.org/acme/acct/39335247'
-Task OK
-----
+NOTE: The name `standalone` means that it can provide the validation on it's
+own, without any third party service. So, this plugin works also for cluster
+nodes.
-Automatic renewal of ACME certificates
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+There are a few prerequisites to use it for certificate management with Let's
+Encrypts ACME.
-If a node has been successfully configured with an ACME-provided certificate
-(either via pvenode or via the GUI), the certificate will be automatically
-renewed by the pve-daily-update.service. Currently, renewal will be attempted
-if the certificate has expired already, or will expire in the next 30 days.
+* You have to accept the ToS of Let's Encrypt to register an account.
+* **Port 80** of the node needs to be reachable from the internet.
+* There **must** be no other listener on port 80.
+* The requested (sub)domain needs to resolve to a public IP of the Node.
-Configuring ACME DNS APIs for validation
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+[[sysadmin_certs_acme_dns_challenge]]
+ACME DNS API Challenge Plugin
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On systems where external access for validation via the `http-01` method is
not possible or desired, it is possible to use the `dns-01` validation method.
This validation method requires a DNS server that allows provisioning of `TXT`
records via an API.
+[[sysadmin_certs_acme_dns_api_config]]
+Configuring ACME DNS APIs for validation
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
{PVE} re-uses the DNS plugins developed for the `acme.sh`
-footnote:[acme.sh https://github.com/acmesh-official/acme.sh]
-project, please refer to its documentation for details on configuration of
-specific APIs.
+footnote:[acme.sh https://github.com/acmesh-official/acme.sh] project, please
+refer to its documentation for details on configuration of specific APIs.
-Combining `http-01` and `dns-01` validation is possible in case your node is
-reachable via multiple domains with different requirements / DNS provisioning
-capabilities. Mixing DNS APIs from multiple providers or instances is also
-possible by specifying different plugin instances per domain.
+The easiest way to configure a new plugin with the DNS API is using the web
+interface (`Datacenter -> ACME`).
+
+[thumbnail="screenshot/gui-datacenter-acme-add-dns-plugin.png"]
+
+Choose `DNS` as challenge type. Then you can select your API provider, enter
+the credential data to access your account over their API.
+
+TIP: See the acme.sh
+https://github.com/acmesh-official/acme.sh/wiki/dnsapi#how-to-use-dns-api[How to use DNS API]
+wiki for more detailed information about getting API credentials for your
+provider.
+
+As there are many DNS providers and API endpoints {pve} automatically generates
+the form for the credentials for some providers. For the others you will see a
+bigger text area, simply copy all the credentials `KEY`=`VALUE` pairs in there.
+
+DNS Validation through CNAME Alias
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
A special `alias` mode can be used to handle the validation on a different
domain/DNS server, in case your primary/real DNS does not support provisioning
`domain2.example` to allow the DNS server of `domain2.example` to validate all
challenges for `domain1.example`.
-.Example: Setting up the OVH API for validating a domain
+
+Combination of Plugins
+^^^^^^^^^^^^^^^^^^^^^^
+
+Combining `http-01` and `dns-01` validation is possible in case your node is
+reachable via multiple domains with different requirements / DNS provisioning
+capabilities. Mixing DNS APIs from multiple providers or instances is also
+possible by specifying different plugin instances per domain.
+
+TIP: Accessing the same service over multiple domains increases complexity and
+should be avoided if possible.
+
+[[sysadmin_certs_acme_automatic_renewal]]
+Automatic renewal of ACME certificates
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If a node has been successfully configured with an ACME-provided certificate
+(either via pvenode or via the GUI), the certificate will be automatically
+renewed by the `pve-daily-update.service`. Currently, renewal will be attempted
+if the certificate has expired already, or will expire in the next 30 days.
+
+
+ACME Examples with `pvenode`
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Example: Sample `pvenode` invocation for using Let's Encrypt certificates
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+----
+root@proxmox:~# pvenode acme account register default mail@example.invalid
+Directory endpoints:
+0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
+1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
+2) Custom
+Enter selection: 1
+
+Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
+Do you agree to the above terms? [y|N]y
+...
+Task OK
+root@proxmox:~# pvenode config set --acme domains=example.invalid
+root@proxmox:~# pvenode acme cert order
+Loading ACME account details
+Placing ACME order
+...
+Status is 'valid'!
+
+All domains validated!
+...
+Downloading certificate
+Setting pveproxy certificate and key
+Restarting pveproxy
+Task OK
+----
+
+Example: Setting up the OVH API for validating a domain
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
NOTE: the account registration steps are the same no matter which plugins are
used, and are not repeated here.
└────────┴──────────────────────────────────────────┘
----
-At last you can configure the domain you want to get certitficates for and
+At last you can configure the domain you want to get certificates for and
place the certificate order for it:
----
Restarting pveproxy
Task OK
----
+
+[[sysadmin_certs_acme_switch_from_staging]]
+Example: Switching from the `staging` to the regular ACME directory
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Changing the ACME directory for an account is unsupported, but as {pve}
+supports more than one account you can just create a new one with the
+production (trusted) ACME directory as endpoint. You can also deactivate the
+staging account and recreate it.
+
+// TODO: add example with account screenshot here
+
+.Example: Changing the `default` ACME account from `staging` to directory using `pvenode`
+----
+root@proxmox:~# pvenode acme account deactivate default
+Renaming account file from '/etc/pve/priv/acme/default' to '/etc/pve/priv/acme/_deactivated_default_4'
+Task OK
+
+root@proxmox:~# pvenode acme account register default example@proxmox.com
+Directory endpoints:
+0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
+1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
+2) Custom
+Enter selection: 0
+
+Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
+Do you agree to the above terms? [y|N]y
+...
+Task OK
+----
projects / pve-docs.git / blobdiff