From da30f82a27928d2771a1a08a186ef503e709ab07 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Fri, 24 Jan 2020 09:52:26 +0100 Subject: [PATCH] certs: followup: move hint a bit higher and small improvement Signed-off-by: Thomas Lamprecht --- certificate-management.adoc | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/certificate-management.adoc b/certificate-management.adoc index ff1ca49..db76062 100644 --- a/certificate-management.adoc +++ b/certificate-management.adoc @@ -29,11 +29,15 @@ You have the following options for the certificate used by `pveproxy`: the cluster CA and therefore not trusted by browsers and operating systems by default. 2. use an externally provided certificate (e.g. signed by a commercial CA). -3. use ACME (e.g., Let's Encrypt) to get a trusted certificate with automatic renewal. +3. use ACME (e.g., Let's Encrypt) to get a trusted certificate with automatic +renewal, this is also integrated in the {pve} API and Webinterface. For options 2 and 3 the file `/etc/pve/local/pveproxy-ssl.pem` (and `/etc/pve/local/pveproxy-ssl.key`, which needs to be without password) is used. +NOTE: Keep in mind that `/etc/pve/local` is a node specific symlink to +`/etc/pve/nodes/NODENAME`. + Certificates are managed with the {PVE} Node management command (see the `pvenode(1)` manpage). @@ -41,8 +45,6 @@ WARNING: Do not replace or manually modify the automatically generated node certificate files in `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key` or the cluster CA files in `/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`. -Also keep in mind that `/etc/pve/local` is a symlink to -`/etc/pve/nodes/NODENAME`. Getting trusted certificates via ACME ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -170,4 +172,4 @@ Automatic renewal of ACME certificates If a node has been successfully configured with an ACME-provided certificate (either via pvenode or via the GUI), the certificate will be automatically renewed by the pve-daily-update.service. Currently, renewal will be attempted -if the certificate has expired or will expire in the next 30 days. +if the certificate has expired already, or will expire in the next 30 days. -- 2.39.2