Skip to content

Instantly share code, notes, and snippets.

@tavinus

tavinus/acme-proxmox-dynu.md

Last active March 29, 2024 17:15
Show Gist options
  • Star 11 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save tavinus/15ea64c50ac5fb7cea918e7786c94a95 to your computer and use it in GitHub Desktop.
Save tavinus/15ea64c50ac5fb7cea918e7786c94a95 to your computer and use it in GitHub Desktop.
Download ZIP
Using acme.sh on the proxmox host (with Dynu DNS)
Raw
acme-proxmox-dynu.md

Proxmox + acme.sh

Using acme.sh on the proxmox host to generate Letsencrypt certificates

With this we show how to use acme.sh instead of the original Letsencrypt interface.

Acme.sh is just a Bash script that can run on pretty much any *nix environment.
It is quite simple but also quite powerfull.

In this guide I will use the cheap and good Dynu service to configure a domain.
Using the DNS allows you to completely bypass the need to point the port 80 of the domain to the machine.

As a matter of fact, there is absolutely ZERO NETWORK configuration needed to generate the certificate.
All you need is curl/wget and outbound internet connection.

The magic happens at the DNS side and you receive the certificate ready to use.

There are many other DNS providers supported (Goddady, etc).

This may also solve the Armageddon Warnings the Browsers show for self-signed certificates.
Just need to make sure the certificate domain name points to the correct IP on the local network (could add to router DNS).

DNS Requirements

If you want to use your DNS provider, you will need it to have your domain registered with them, obviouosly.
You may also need to add the subdomain to their DNS records. On Dynu I just add it as a Dynamic DNS entry.

Your DNs provider should also be supported by acme.sh, or you will need to create a DNS file for your system's API.
There are a lot of supported providers though, should not happen easily.

Run Requirements

ssh into proxmox host (change IP address)

ssh root@192.168.1.210

We will use git, install it

apt-get update
apt-get install git

Install acme.sh

lets create a work folder

cd /root
mkdir workfolder
cd workfolder

download acme.sh with git

git clone 'https://github.com/Neilpang/acme.sh.git'
cd acme.sh

Install with account (change email address)

./acme.sh --install --accountemail "myemail@mymail.com"

If all went fine it was installed to /root/.acme.sh and it has also set a crontab job.
List crontab to check

# crontab -l
24 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

At this point acme.sh is fully operational and can be used in any mode of operation.

Dynu config

Go to the acme.sh installation folder

cd /root/.acme.sh

Edit the account.conf file and add your Dynu credentials

nano account.conf
# vi account.conf    # use vi if your prefer

You need to have an API subscription with Dynu and then generate a ClentId / Secret.
The account.conf will look something like this:

ACCOUNT_EMAIL='myemail@mymail.com'
Dynu_ClientId='82637c92-9de7-92fb-2314-2fd378645092'
Dynu_Secret='dfkj328GBs1DSf09ma0sdf9GSD023ds'

If all info is correct, you can then use the Dynu API with acme.sh to generate the certificates.

Generate certificate through Dynu

We will use the default acme.sh folder to generate and then a second call to install the certs.

  • This will have a 120s wait for the DNS to change and apply
  • One of the good benefits of Dynu is that they hav 90s/120s TTL

To issue a certificate through Dynu you can use

./acme.sh --debug --issue --dns dns_dynu -d my.sub.domain.net

If you want to test using the stage server first, just add --test

./acme.sh --debug --issue --dns dns_dynu -d my.sub.domain.net --test

But then you will need to use --force to ovewrite the test cert

./acme.sh --debug --issue --dns dns_dynu -d my.sub.domain.net --force

Install generated certificates

If all went fine and you have valid certificates, you can install them on the PVE interface.
Please change the subdomain

./acme.sh --debug --installcert -d my.sub.domain.net \
--keypath /etc/pve/local/pveproxy-ssl.key \
--fullchainpath /etc/pve/local/pveproxy-ssl.pem \
--reloadcmd "systemctl restart pveproxy"

In Single-line

./acme.sh --debug --installcert -d my.sub.domain.net --keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy"

Local DNS config

You may need to tell your router/gateway to point the domain the to LOCAL IP instead of the internet IP so you can use the domain to access proxmox locally.

Or else you can edit you /etc/hosts or C:\Windows\system32\etc\hosts file for a local config.

A host config would look like: IP <space> domain

10.0.1.210 pve-node2.mydomain.net
@yuriw
Copy link

yuriw commented Aug 26, 2020

This is great.
If you use proxmox WebGUI to add ACME DNS Plugin challenge. What and in what format would you use in the API Data field (see pic)?

image

@adcurtin
Copy link

adcurtin commented Sep 8, 2020
edited

in the api data field, you just put the env vars you need for your api. for dynu:

Dynu_ClientId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Dynu_Secret="yyyyyyyyyyyyyyyyyyyyyyyyy"

it will be base64 encoded in
/etc/pve/priv/acme/plugins.cfg :

dns: test-fake
	api dynu
	data RHludV9DbGllbnRJZD0ieHh4eHh4eHgteHh4eC14eHh4LXh4eHgteHh4eHh4eHh4eHh4IgpEeW51X1NlY3JldD0ieXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eSI=

@tavinus
Copy link
Author

tavinus commented Sep 9, 2020

Never used the WebGUI for this. Seems simple enough with @adcurtin 's answer.

@yuriw
Copy link

yuriw commented Sep 9, 2020

Exact format should be without quotes -

Dynu_ClientId=1234567890abc
Dynu_Secret= 1234567890abc
Dynu_Token= 1234567890abc
Dynu_EndPoint=https://api.dynu.com/v2

@tavinus
Copy link
Author

tavinus commented Dec 2, 2020

Today I used the web interface for the first time to do this.

Here is how I did it:

0. Install Acme account (optional?)

Datacenter > ACME > Accounts > Add
Choose a name and an e-mail.
image

1. Install your ACME DNS Plugin

Datacenter > ACME > Challenge Plugins > Add

  • Plugin ID: dynu
  • DNS API: dynu
  • API Data: (remove quotes)
Dynu_ClientId=82637c92-9de7-92fb-2314-2fd378645092
Dynu_Secret=dfkj328GBs1DSf09ma0sdf9GSD023ds

image

You can adjust to your liking or another DNS provider.

2. Add entries to Dynu

  • Add alias or subdomain pointing to you desired subdomain (pve-mynode.mydomain.tld)
    image

  • Add CAA DNS Record
    This authorizes letsencrypt to create certificates do this subdomain
    image

3. Create certificate

YourNode > System > Certificates > ACME > Add

  • Challenge Type: DNS
  • Plugin: dynu
  • Domain: pve-mynode.mydomain.tld (same as node hostname)

image

After creating it, select it and click Order Certificates Now to generate and install the certificates.

Everything went smoothly and proxmox installed and reloaded the main interface with the certificates installed.

Now just need to point the domain to the IP internally (or edit your local hosts file).

@eloekset
Copy link

With Namecheap DNS provider the default validation delay of 30s was not enough. I extended it to 60 and then the TXT record was validated successfully.

@tavinus
Copy link
Author

tavinus commented May 23, 2023

Not sure it should take that long, but glad you figured it out.
Did you use the original CLI method or the Proxmox interface?

@eloekset
Copy link

Did you use the original CLI method or the Proxmox interface?

I used the GUI that is shown in the comment above. Validation Delay is the value to override.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment