Allow non-self-signed override certificate for API

if the files pveproxy-ssl.pem and pveproxy-ssl.key are
available for a node (i.e., in /etc/pve/<node>/), they will
be used as TLS certificate and private key for the web
interface and API of this node.

Note: the Spice and non-websocket VNC connections are still
using the self-signed certificate and key in pve-ssl.pem
and pve-ssl.key.

diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index a4080a0a519de80162566de77ab0945e12fc92c2..0bc2f5ae543ca77431823d8cfb6eaad3faf18975 100755 (executable)
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -131,6 +131,12 @@ sub init {
     } else {
        $self->{server_config}->{ssl}->{dh} = 'skip2048';
     }
+
+    if (-f '/etc/pve/local/pveproxy-ssl.pem' && -f '/etc/pve/local/pveproxy-ssl.key') {
+       $self->{server_config}->{ssl}->{cert_file} = '/etc/pve/local/pveproxy-ssl.pem';
+       $self->{server_config}->{ssl}->{key_file} = '/etc/pve/local/pveproxy-ssl.key';
+       syslog('info', 'Using \'/etc/pve/local/pveproxy-ssl.pem\' as certificate for the web interface.');
+    }
 }
 
 sub run {