X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=certificate-managment.adoc;h=3eabee83a5bd067a8cb5dec013e622d41d0afabb;hp=a219adb4c1f711fdb823855731144a86ef470ef0;hb=42a167208676dd7b0fd0793a5f3809061a0e8f38;hpb=0e9c6c133fe498556c33a2784ece92ff9db7e697 diff --git a/certificate-managment.adoc b/certificate-managment.adoc index a219adb..3eabee8 100644 --- a/certificate-managment.adoc +++ b/certificate-managment.adoc @@ -14,8 +14,7 @@ generates a self-signed certificate for each node. These certificates are used for encrypted communication with the cluster's pveproxy service and the Shell/Console feature if SPICE is used. -The CA certificate and key are stored in the `pmxcfs` (see the `pmxcfs(8)` -manpage). +The CA certificate and key are stored in the xref:chapter_pmxcfs[Proxmox Cluster File System (pmxcfs)]. Certificates for API and web GUI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -68,7 +67,7 @@ At the moment the GUI uses only the default ACME account. .Example: Sample `pvenode` invocation for using Let's Encrypt certificates ------------------ +---- root@proxmox:~# pvenode acme account register default mail@example.invalid Directory endpoints: 0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory) @@ -113,7 +112,55 @@ Downloading certificate Setting pveproxy certificate and key Restarting pveproxy Task OK ------------------ +---- + +Switching from the `staging` to the regular ACME directory +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Changing the ACME directory for an account is unsupported. If you want to switch +an account from the `staging` ACME directory to the regular, trusted, one you +need to deactivate it and recreate it. + +This procedure is also needed to change the default ACME account used in the GUI. + +.Example: Changing the `default` ACME account from the `staging` to the regular directory + +---- +root@proxmox:~# pvenode acme account info default +Directory URL: https://acme-staging-v02.api.letsencrypt.org/directory +Account URL: https://acme-staging-v02.api.letsencrypt.org/acme/acct/6332194 +Terms Of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf + +Account information: +ID: xxxxxxx +Contact: + - mailto:example@proxmox.com +Creation date: 2018-07-31T08:41:44.54196435Z +Initial IP: 192.0.2.1 +Status: valid + +root@proxmox:~# pvenode acme account deactivate default +Renaming account file from '/etc/pve/priv/acme/default' to '/etc/pve/priv/acme/_deactivated_default_4' +Task OK + +root@proxmox:~# pvenode acme account register default example@proxmox.com +Directory endpoints: +0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory) +1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory) +2) Custom +Enter selection: +0 + +Attempting to fetch Terms of Service from 'https://acme-v02.api.letsencrypt.org/directory'.. +Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf +Do you agree to the above terms? [y|N]y + +Attempting to register account with 'https://acme-v02.api.letsencrypt.org/directory'.. +Generating ACME account key.. +Registering ACME account.. +Registration successful, account URL: 'https://acme-v02.api.letsencrypt.org/acme/acct/39335247' +Task OK +---- Automatic renewal of ACME certificates ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^