HTTPS Certificate Configuration - Revision history

Tlamprecht: /* Using Certificates from Proxmox VE */

2021-02-11T10:08:19Z

Using Certificates from Proxmox VE

← Older revision		Revision as of 10:08, 11 February 2021
Line 75:		Line 75:
	== Using Certificates from Proxmox VE ==		== Using Certificates from Proxmox VE ==

	If you have installed Proxmox Backup Server in ~~parallel~~ a ~~system~~ ~~which~~ ~~also~~ ~~runs Proxmox VE~~, you can ~~use~~ the certificates ~~you created~~ ~~with~~ Proxmox VE's ACME integration also for the Proxmox Backup Server proxy.		If you have installed Proxmox Backup Server and Proxmox VE on the same host, you can reuse the certificates provided by Proxmox VE's ACME/Let's Encrypt integration also for the Proxmox Backup Server proxy.

	You only need to schedule the copying of the certificate and key after each renewal (e.g. by creating an appropriate cronjob or systemd-timer)		You only need to schedule the copying of the certificate and key after each renewal (e.g. by creating an appropriate cronjob or systemd-timer)
Line 85:		Line 85:
	chmod 640 /etc/proxmox-backup/proxy.key /etc/proxmox-backup/proxy.pem		chmod 640 /etc/proxmox-backup/proxy.key /etc/proxmox-backup/proxy.pem
	chgrp backup /etc/proxmox-backup/proxy.key /etc/proxmox-backup/proxy.pem		chgrp backup /etc/proxmox-backup/proxy.key /etc/proxmox-backup/proxy.pem
	systemctl ~~restart~~ proxmox-backup-proxy.service		systemctl reload proxmox-backup-proxy.service

	[[Category:HOW-TO]]		[[Category:HOW-TO]]

S.ivanov: add section about parallel installations

2021-02-11T10:03:41Z

add section about parallel installations

← Older revision		Revision as of 10:03, 11 February 2021
Line 71:		Line 71:

	20 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --renew-hook "chown root:backup /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key; chmod 640 /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key ; systemctl reload proxmox-backup-proxy" > /dev/null		20 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --renew-hook "chown root:backup /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key; chmod 640 /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key ; systemctl reload proxmox-backup-proxy" > /dev/null


			== Using Certificates from Proxmox VE ==

			If you have installed Proxmox Backup Server in parallel a system which also runs Proxmox VE, you can use the certificates you created with Proxmox VE's ACME integration also for the Proxmox Backup Server proxy.

			You only need to schedule the copying of the certificate and key after each renewal (e.g. by creating an appropriate cronjob or systemd-timer)

			The necessary commands for copying are:
			NODE=$(hostname)
			cp /etc/pve/nodes/${NODE}/pveproxy-ssl.pem /etc/proxmox-backup/proxy.pem
			cp /etc/pve/nodes/${NODE}/pveproxy-ssl.key /etc/proxmox-backup/proxy.key
			chmod 640 /etc/proxmox-backup/proxy.key /etc/proxmox-backup/proxy.pem
			chgrp backup /etc/proxmox-backup/proxy.key /etc/proxmox-backup/proxy.pem
			systemctl restart proxmox-backup-proxy.service

	[[Category:HOW-TO]]		[[Category:HOW-TO]]

Tlamprecht: import from staging

2021-02-01T16:51:41Z

import from staging

New page

== Introduction ==

This is a how-to for changing the web server certificate used by Proxmox Backup Server, in order to enable the usage of publicly trusted certificates issued by a CA of your choice (like Let's Encrypt or a commercial CA).

== Important Note ==

Creating a new certificate requires changes the fingerprint a client will see when connecting to the server.
You need to update it for all clients, else they will refuse connecting to the server!

With a trusted certificate clients do not require a fingerprint to verify the server, if your certificate is trusted you should drop the fingerprint from all client configurations to avoid updating it.

== Certificate and Key File ==

The certificate and key, which are used for the TLS encryption by <code>proxmox-backup-proxy</code> are:
* <code>/etc/proxmox-backup/proxy.pem</code> (certificate)
: The pem file contains the certificate, potentially including one or more intermediate certificates
* <code>/etc/proxmox-backup/proxy.key</code> (key)
: The key file contains the private key used for the certificate.

=== File Owner and Permissions ===

Both files need to be owned by the <code>root</code> user and the <code>backup</code> group and should not be readable by others (mode <code>o640</code>):

chown root:backup /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key
chmod 640 /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key

=== Activating Certificate Change ===

Once the certificate and key files are changed you need to reload (avoid restart, they interrupt running (backup) jobs) the proxy daemon:
systemctl reload proxmox-backup-proxy

== Revert to Default Configuration ==

You can always recreate a fresh self-signed certificate and start fresh by running:
proxmox-backup-manager cert update --force
systemctl reload proxmox-backup-proxy

'''WARNING''': Creating a new certificate requires you to update the fingerprint for all clients, else they will refuse connecting to the server!

== Let's Encrypt using acme.sh ==

Until Proxmox Backup Server handles issuing certificates from Let's Encrypt itself you can configure getting and refreshing certificates with external tools.

This how-to shows how to get a publicly trusted certificate from Let's Encrypt using [https://github.com/acmesh-official/acme.sh acme.sh]

The how-to only provides minimal instructions - read up on other options, which might be more fitting in your environment, for example, using the DNS challenge.

=== Download and Installation ===

You can obtain acme.sh directly from GitHub and install it to <code>root</code> account:

git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh && ./acme.sh --install --accountemail <your-email>

=== Issuing and Configuration ===

To write the files to the appropriate location, with fitting owner and mode for <code>domain.example</code>

acme.sh --issue -d domain.example --standalone \
--cert-file /etc/proxmox-backup/proxy.pem \
--key-file /etc/proxmox-backup/proxy.key \
--fullchain-file /etc/proxmox-backup/proxy.pem \
--reloadcmd "chown root:backup /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key; chmod 640 /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key ; systemctl reload proxmox-backup-proxy"

'''TIP''': With a trusted certificate clients do not require a fingerprint to verify the server. You can drop the fingerprint from all client configurations to avoid the need to update it every two-three months, after a new Let's Encrypt certificate is required.

=== Automatic Renewal ===

In order to automatically refresh the certificates and to reload the proxy service you also need to append the reload command as <code>renew-hook</code> in the generated cronjob (by running <code>crontab -e</code>)
and editing so that the line looks like:

20 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --renew-hook "chown root:backup /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key; chmod 640 /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key ; systemctl reload proxmox-backup-proxy" > /dev/null

[[Category:HOW-TO]]