ACME Certificates on PVE HTTPS
NOTE: The instructions on this page pertain to setting up ACME certificates for the PVEProxy service which terminates TLS on tcp/8006. This does not alter certificates for node-to-node cluster trusts.
Background
In my environment, I have:
- STEP CA Intermediate Certificate Authority doing ACME for
lab.home.internalinternal domain- The ACME provisioner is reachable at
https://sub-ca.pki.home.internal/acme/acme@lab.home.internal/directory
- The ACME provisioner is reachable at
- DHCP Dynamic DNS
- Internal BIND server acting as SOA for the
home.internaldomain - pfSense DHCP Dynamic DNS client pushing registrations for specific subnets to BIND
- Internal BIND server acting as SOA for the
- Four-node PVE cluster (at the time of this writing)
- PVE nodes are statically configured with IP addresses
- So, use a
cronjob on the BIND server to register their addresses with the DDNS key
Firewall Rules
- PVE Nodes must be able to reach STEP CA on
tcp/443 - STEP CA must be able to reach PVE nodes on
tcp/80
Save Intermediate CA
Root CA long-lived key signed Intermediate CA certificate, certificate bundle includes Root CA and Intermediate CA public certificates
curl -fsSk https://sub-ca.pki.home.internal/roots.pem \
-o /usr/local/share/ca-certificates/internal-intermediate.crt \
--connect-timeout 3update-ca-certificatesPVE ACME Client
pvenode acme account register default admin@lab.home.internal \
--directory https://sub-ca.pki.home.internal/acme/acme@lab.home.internal/directoryYou only need to run the pve acme account register command on one PVE node if you're going to use the same ACME provisioner for the others
pvenode config set --acme domains=proxmox.lab.home.internalUses hostname from BIND DNS
pvenode acme cert orderSave Intermediate CA on PVE Client
Important!
Save your Intermediate CA certificate on any API clients / web browsers / hosts that will be navigating to https://proxmox.lab.home.internal:8006 (for example)