Secure Proxmox With A Proxmox SSL Certificate
When installing Proxmox you must make sure your hostname resolves to your server before the installation. As your networking should already be configured on your Dedicated Server it’s easy to configure and set up a Proxmox SSL Certificate. We’re going to use Certbot to download and install an SSL certificate then set up automatic renewals. To start, login as root to your Proxmox server.
Install Certbot using apt, issue the following command;
apt install certbot -y
If your server can’t see the certbot packages, then you need to set the backports. Add the below lines to your /etc/apt/sources.list file. Then, run apt update.
nano /etc/apt/sources.list #Proxmox VE6 deb http://ftp.debian.org/debian stretch-backports main #Proxmox VE7 deb http://ftp.debian.org/debian bullseye-backports main
Now that Certbot is installed, it’s time to request an SSL certificate. We use the certbot certonly command so, issue the command in your console.
In the console, you will now be asked a number of questions. The first option is how you want to validate your domain name. To do this your hostname should be resolving to your Proxmox servers IPv4. Use option 1 to spin up a webserver. Next, enter a valid email address and accept the terms. Decide if you want to share your email address.
Request Proxmox SSL Certificate
So now we need to request the certificate and the next option in the console should be asking for your domain name. This will be the configured hostname on your server. Enter the domain name or hostname and press enter. So now in the console, you should see that a certificate has been requested and downloaded to your server.
Install Proxmox Certificate
Now you have your certificate, let’s configure Proxmox to use it. Copy the certificate to your Proxmox install. The path to your certificate is displayed in the console. You must copy both the fullchain.pem and the privkey.pem files. Restart the pveproxy service once you have copied the certificates files.
cp /etc/letsencrypt/live/sat-uk-f2h-x81.first2host.co.uk/fullchain.pem /etc/pve/local/pveproxy-ssl.pem cp /etc/letsencrypt/live/sat-uk-f2h-x81.first2host.co.uk/privkey.pem /etc/pve/local/pveproxy-ssl.key systemctl restart pveproxy
You should now have a working certificate on your Proxmox server. Open a browser tab to double-check.
Configure Automatic SSL Renewals
To automate renewals we can use a cronjob to call the renewal script then run a post-hook to a custom ssh file that copies renewed certificates to Proxmox. First, create a directory to store your renewal script;
# Make a directory mkdir /F2H # Create a bash script nano /F2H/ssl-renewal.sh
Now just copy the commands you used to copy the certificates files to Proxmox and the restart command. Our file looks like this;
Save and close the file then chmod it to 755.
chmod 755 /F2H/ssl-renewal.sh
Finally, set up a cron job to run the renewal script.
# Edit crontab nano /etc/crontab # Setup Cron 30 6 1,15 * * root /usr/bin/certbot renew --quiet --post-hook /F2H/ssl-renewal.sh
The cron job will look something like this
That’s the process completed. You now have a working SSL certificate configured on your Proxmox server and renewals are taken care of every 30 days.
How was this article?
You might also like
More from Proxmox
How To Edit Cloud Images Before Creating A Template When creating templates for platforms like Proxmox you may need to edit …