ACME Certificates on PBS HTTPS

NOTE: The instructions on this page pertain to setting up ACME certificates for the proxmox-backup-proxy service which terminates TLS on tcp/8007. This does not alter certificates for node-to-node cluster trusts.

Background

In my environment, I have:

STEP CA Intermediate Certificate Authority doing ACME for lab.home.internal internal domain
- The ACME provisioner is reachable at
  https://sub-ca.pki.home.internal/acme/acme@lab.home.internal/directory
DHCP Dynamic DNS
- Internal BIND server acting as SOA for the home.internal domain
- pfSense DHCP Dynamic DNS client pushing registrations for specific subnets to BIND
PBS is DHCP-enabled with a DHCP reservation in pfSense
- pfSense DHCP service sends Dynamic DNS update to BIND using hostname and internal domain for this VLAN in DHCP reservation
- pbs.bak.home.internal

Firewall Rules

PBS Node(s) must be able to reach STEP CA on tcp/443
STEP CA must be able to reach PBS node(s) on tcp/80

Save Intermediate CA to PBS

Root CA long-lived key signed Intermediate CA certificate, certificate bundle includes Root CA and Intermediate CA public certificates

curl -fsSk https://sub-ca.pki.home.internal/roots.pem \
-o /usr/local/share/ca-certificates/internal-intermediate.crt \
--connect-timeout 3

update-ca-certificates

PBS ACME Client

proxmox-backup-manager acme account register default admin@lab.home.internal \
--directory https://sub-ca.pki.home.internal/acme/acme@lab.home.internal/directory

When prompted if you wish to use External Account Binding (EAB), you may answer No if you have not configured credentials for ACME client authentication.

proxmox-backup-manager node update --acmedomain0 domain=pbs.bak.home.internal

Uses hostname from BIND DNS

proxmox-backup-manager acme cert order

Important: Update Fingerprint

Warning! Backups will break if you do not follow this step.

proxmox-backup-manager cert info | grep Fingerprint

Output updated certificate fingerprint

Log into Proxmox VE
Datacenter > Storage > Edit PBS storage target
Paste in new fingerprint and click "OK"
PBS certificate is now trusted in PVE

Save Intermediate CA on PBS Client

Important!

Save your Intermediate CA certificate on any API clients / web browsers / hosts that will be navigating to https://pbs.bak.home.internal:8007 (for example)

1) Resize the VM Disk in PVE

2) Linux VM (No LVM)

Adding Additional Storage Disks

Clustering: Same ZFS Pool on All Nodes

ACME Certificates on PVE HTTPS

Migrate to Cluster-wide VLAN Trunking

Overview

Preparing Synology NAS

Install Proxmox Backup Server

Map NFS Share in PBS

Add Datastore to PBS

Add PBS to Proxmox VE

Troubleshooting

ACME Certificates on PBS HTTPS

NFS: LXC Permissions Issue (Synology)

Export a Proxmox VM to VirtualBox

Inspect Guest Disk Contents

Get Raw Command Output from qm guest exec

Kali LXC: Fixing Slow Desktop Load after KDE Upgrade

ACME Certificates on PBS HTTPS

Background

Firewall Rules

Save Intermediate CA to PBS

PBS ACME Client

Important: Update Fingerprint

Save Intermediate CA on PBS Client