LinuxOperating SystemWindows

How to Set Up Proxmox with an SSL Certificate

October 11, 20240 Comments by Coporton WorkStation

Proxmox Virtual Environment (Proxmox VE) serves as an open-source server virtualisation platform utilising QEMU/KVM alongside LXC containers. This tool enables efficient management of virtual machines and containers.

Proxmox, by default, employs self-signed SSL certificates for the encryption of the web interface. Self-signed certificates lack valid identity assurance and are marked as insecure by web browsers. To ensure secure access to the Proxmox web interface from remote clients and to prevent browser warnings, it is necessary to install a valid SSL certificate issued by a trusted Certificate Authority (CA) on Proxmox.

This guide details the steps required to obtain and install an SSL certificate on Proxmox. We will cover the entire process to ensure a successful implementation.

System Requirements

Prior to initiating the SSL installation process, ensure that:

  • Administrative access to the Proxmox VE host has been granted.
  • The Proxmox web interface can be accessed securely via HTTPS on port 8006.
  • A valid domain name has been registered for the Proxmox host, and you have full control over its DNS records.
  • The firewall is configured to permit HTTPS traffic on port 8006.
A detailed step-by-step guide on how to add an SSL certificate to Proxmox

To put an SSL certificate on Proxmox, follow these steps. The steps in this guide explain in detail how to encrypt Proxmox web traffic safely.

  • Find out what kind of SSL certificate you need and make a CSR.
  • Get an SSL certificate and buy one.
  • Change HTTP to HTTPS and install the SSL certificate. Check the installation.
Step 1: Determine Type of SSL Certificate Required

Proxmox supports standard single domain SSL certificates as well as wildcard certificates. Wildcard certificates are more expensive but can secure unlimited subdomains on your domain.

Some factors to consider when choosing the certificate type:

  • Number of Subdomains: If you only need to secure the main proxmox domain name (e.g. proxmox.yourdomain.com), a single domain certificate is sufficient. For securing unlimited subdomains, use a wildcard certificate.
  • Number of Nodes: If you have a multi-node Proxmox cluster, you need either multiple single domain certificates or a single wildcard certificate valid for the main domain.
  • Validity Period: Subscription-based certificates minimize the administrative overhead of renewals by auto-renewing each year. But you pay a higher yearly cost. Perpetual certificates have a longer validity (2-3 years) but need manual renewal.
  • Budget: Wildcard certificates cost more than single domain certificates. But you can get SSL certificates for very affordable prices from SSL resellers.

Once you decide on the SSL certificate type, proceed to the next step.

Step 2: Generate a CSR

In order to acquire an SSL certificate for Proxmox, it is necessary to generate a Certificate Signing Request (CSR). The CSR includes essential information regarding the Proxmox server and your organization.

To generate a CSR on your Proxmox VE host, follow these steps:

  • Open an SSH session or utilize the web-based terminal to access the Proxmox shell.
  • Change to the root user:
su -
  • Navigate to the directory where the CSR will be generated:
cd /etc/pve/<nodes_name>/
  • Produce a 2048-bit private key:
openssl genrsa -out proxmox.key 2048
  • The subsequent step is to generate the CSR by executing the following command:
openssl req -new -key proxmox.key -out proxmox.csr
  • You will request details such as the organization’s name, domain name, and location. Furnish precise data.
  • Finally, confirm the contents of the CSR:
openssl req -text -noout -in proxmox.csr
  • Submit the CSR to the SSL provider by copying it.

Note: The CSR generation process will vary marginally depending on whether you use the SSL provider’s CSR generator or an external tool. However, the input of necessary information remains consistent.

Step 3: Purchase and Receive SSL Certificate

Once you have the CSR ready, it’s time to purchase the SSL certificate. Here are the steps:

  • Determine your preferred Certification Authority (CA). We recommend Comodo, DigiCert, Sectigo, and GeoTrust.
  • You can purchase the certificate type you decided on, single domain or wildcard. The CSR is required during the purchase process.
  • If the CA requires validation of domain ownership, follow their instructions to verify control over your domain.

After purchase, you will receive an email with the SSL certificate files after some time. The delay depends on whether domain validation is required for the certificate type purchased.

Step 4: Install the SSL Certificate

Once you receive the SSL certificate from the CA, it needs to be installed on the Proxmox host. Follow these steps:

  • Extract and copy the following SSL certificate files to the Proxmox node:
  • Full Chain file (named like fullchain.pem or bundle.crt): Contains the end-entity (your domain) certificate + intermediate certificates in PEM format.
  • Private Key file (yourdomain.key): The private key is created while generating the CSR.
  • Transfer the full chain file and private key to the Proxmox node:
elixir
scp fullchain.pem root@proxmox_IP:/etc/pve/nodes/node_name/pveproxy-ssl.pem
scp yourdomain.key root@proxmox_IP:/etc/pve/nodes/node_name/pveproxy-ssl.key
  • SSH into the Proxmox node and set proper permissions on the keys:
chmod 600 /etc/pve/nodes/node_name/pveproxy-ssl.key
  • Edit the main Proxmox configuration file /etc/pve/local/pveproxy-ssl.cfg and add the following lines:
ssl-cert=/etc/pve/nodes/node_name/pveproxy-ssl.pem
ssl-key=/etc/pve/nodes/node_name/pveproxy-ssl.key
  • Finally, restart the Proxmox proxy service:
systemctl restart pveproxy

That’s it! The SSL certificate is now active on your Proxmox virtualization platform.

Step 5: Redirect HTTP to HTTPS

Since Proxmox allows access to the web interface via plain HTTP on port 8006, it is recommended to redirect all HTTP traffic to HTTPS to ensure encryption.

To redirect HTTP to HTTPS in Proxmox:

Edit /etc/pve/nodes/node_name/pveproxy.cfg

Under the listen section, modify it to look like:

listen:
 : 127.0.0.1:8006
 : IP:8006
    ssl: 'on'
    proto: https
  • Save changes and restart pveproxy:
systemctl restart pveproxy

Now, when you try accessing Proxmox on HTTP, it will automatically redirect to the HTTPS address.

Step 6: Verify Installation

Once the SSL certificate is installed, verify that it is working correctly:

  • Open the Proxmox web UI in a web browser at https://your-proxmox-domain:8006
  • Check for any browser warnings or errors. The website should load over HTTPS without any issues.
  • Click the lock icon in the address bar and inspect the certificate details. Verify your domain name, issued to, and expiry date values.
  • Use the OpenSSL s_client command to connect to check certificate details:
openssl s_client -connect your-proxmox-domain:8006
  • Use online SSL test tools to analyze the TLS encryption strength and confirm the chain of trust.

If any issues arise, recheck the certificate file paths, permissions, and pveproxy configuration.

Renewing the SSL Certificate

The SSL certificate will expire after the validity period, requiring renewal.

The CA automatically renews subscription certificates, but you may need to re-install the renewed certificate files.

For perpetual certificates, you need to renew the certificate before expiry manually:

  • Generate and submit a fresh CSR following steps 1-4.
  • Download and install the renewed certificate issued by CA.
  • Restart the Proxmox proxy to load the new certificate.

Set calendar reminders before expiration to ensure renewal is smooth and timely.

1183 Views
AboutCoporton WorkStation
We specialize in simplifying technology through our Linux System Administrator, Cyber Security, Web Development, and Virtual Assistance expertise. Our passion lies not only in delivering professional solutions but also in sharing our knowledge with others. Through insightful topics, tutorials, tips, and tricks, we aim to illuminate complex technical concepts and provide practical, easy-to-apply solutions. Whether you're a tech enthusiast interested in technology or a business seeking to optimize its operations, Coporton WorkStation is your trusted partner in making technology more accessible and effective.
Internet Download Manager Activation Script - An Open-Source Tool to ActivateInternet Download Manager Activation Script - An Open-Source Tool to ActivateDecember 10, 2023

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *