Create and renew a TLS certificate from Let’s Encrypt via DNS challenge with dehydrated and use it for Proxmox cluster

PVE-LE with dehydrated.sh

#!/usr/bin/env bash
#Script uses dehydrated to get Let´s Encyrpt TLS Certs via DNS.
#These Certs are copied into Proxmox node dir and restart pve proxy service to enbale them.

set -e
set -u

#name nodes same as in the /etc/hosts
node1=host001
node2=host002
node3=host003
#url which is used for cert.
url=cluster.acme.com

#Renew the certs via dehydrated
/usr/local/bin/dehydrated -c >/dev/null

#check if the file has chagned 
if ! diff -q /etc/dehydrated/certs/$url/fullchain.pem /etc/pve/nodes/$node1/pveproxy-ssl.pem ; then
         #Copy the new certs into proxmox dir and restart on all nodes pveproxy 
         cp  /etc/dehydrated/certs/$url/privkey.pem /etc/pve/nodes/$node1/pveproxy-ssl.key
         cp  /etc/dehydrated/certs/$url/privkey.pem /etc/pve/nodes/$node2/pveproxy-ssl.key
         cp  /etc/dehydrated/certs/$url/privkey.pem /etc/pve/nodes/$node3/pveproxy-ssl.key
         cp  /etc/dehydrated/certs/$url/fullchain.pem /etc/pve/nodes/$node1/pveproxy-ssl.pem
         cp  /etc/dehydrated/certs/$url/fullchain.pem /etc/pve/nodes/$node2/pveproxy-ssl.pem
         cp  /etc/dehydrated/certs/$url/fullchain.pem /etc/pve/nodes/$node3/pveproxy-ssl.pem
         ssh root@$node1 'systemctl restart pveproxy' &
         ssh root@$node2 'systemctl restart pveproxy' &
         ssh root@$node3 'systemctl restart pveproxy'
         wait
fi

dehydrated is needed