Certificates for communication within the cluster
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Each {PVE} cluster creates its own internal Certificate Authority (CA) and
-generates a self-signed certificate for each node. These certificates are used
-for encrypted communication with the cluster's pveproxy service and the
-Shell/Console feature if SPICE is used.
+Each {PVE} cluster creates its own (self-signed) Certificate Authority (CA) and
+generates a certificate for each node which gets signed by the aforementioned
+CA. These certificates are used for encrypted communication with the cluster's
+`pveproxy` service and the Shell/Console feature if SPICE is used.
The CA certificate and key are stored in the xref:chapter_pmxcfs[Proxmox Cluster File System (pmxcfs)].
Setting pveproxy certificate and key
Restarting pveproxy
Task OK
------------------
+----
Switching from the `staging` to the regular ACME directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.Example: Changing the `default` ACME account from the `staging` to the regular directory
------------------
-
+----
root@proxmox:~# pvenode acme account info default
Directory URL: https://acme-staging-v02.api.letsencrypt.org/directory
Account URL: https://acme-staging-v02.api.letsencrypt.org/acme/acct/6332194
root@proxmox:~# pvenode acme account deactivate default
Renaming account file from '/etc/pve/priv/acme/default' to '/etc/pve/priv/acme/_deactivated_default_4'
Task OK
-root@proxmox:~#
+
root@proxmox:~# pvenode acme account register default example@proxmox.com
Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
Registering ACME account..
Registration successful, account URL: 'https://acme-v02.api.letsencrypt.org/acme/acct/39335247'
Task OK
-root@proxmox:~#
-
------------------
+----
Automatic renewal of ACME certificates
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^