X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=certificate-managment.adoc;h=7970f61c396724e404295b199e275aa571adb2ed;hp=1eb2716408baaf7ccf4e6bbc932466877a7b97f5;hb=94958b8b9230d5b9b5e2e70c481f115b18a5fa0b;hpb=19b04e775fea4645a075fc4263272c3614795eda;ds=sidebyside diff --git a/certificate-managment.adoc b/certificate-managment.adoc index 1eb2716..7970f61 100644 --- a/certificate-managment.adoc +++ b/certificate-managment.adoc @@ -9,8 +9,9 @@ endif::wiki[] Certificates for communication within the cluster ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Each {PVE} cluster creates its own internal Certificate Authority (CA) and -generates a self-signed certificate for each node. These certificates are used +Each {PVE} cluster creates its own (self-signed) Certificate Authority (CA) and +generates a certificate for each node and signs it by the previously created CA. +These certificates are used for encrypted communication with the cluster's pveproxy service and the Shell/Console feature if SPICE is used. @@ -67,7 +68,7 @@ At the moment the GUI uses only the default ACME account. .Example: Sample `pvenode` invocation for using Let's Encrypt certificates ------------------ +---- root@proxmox:~# pvenode acme account register default mail@example.invalid Directory endpoints: 0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory) @@ -112,10 +113,10 @@ Downloading certificate Setting pveproxy certificate and key Restarting pveproxy Task OK ------------------ +---- Switching from the `staging` to the regular ACME directory -++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Changing the ACME directory for an account is unsupported. If you want to switch an account from the `staging` ACME directory to the regular, trusted, one you @@ -125,8 +126,7 @@ This procedure is also needed to change the default ACME account used in the GUI .Example: Changing the `default` ACME account from the `staging` to the regular directory ------------------ - +---- root@proxmox:~# pvenode acme account info default Directory URL: https://acme-staging-v02.api.letsencrypt.org/directory Account URL: https://acme-staging-v02.api.letsencrypt.org/acme/acct/6332194 @@ -143,7 +143,7 @@ Status: valid root@proxmox:~# pvenode acme account deactivate default Renaming account file from '/etc/pve/priv/acme/default' to '/etc/pve/priv/acme/_deactivated_default_4' Task OK -root@proxmox:~# + root@proxmox:~# pvenode acme account register default example@proxmox.com Directory endpoints: 0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory) @@ -161,9 +161,7 @@ Generating ACME account key.. Registering ACME account.. Registration successful, account URL: 'https://acme-v02.api.letsencrypt.org/acme/acct/39335247' Task OK -root@proxmox:~# - ------------------ +---- Automatic renewal of ACME certificates ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^