Proxmox - Update SSL/TLS Certificates
This tutorial will show you how to manually update your Proxmox server's TLS certificates without using the built-in Let's Encrypt plugins. This is because this will work no matter what setup you have, and I also want to have a central automated service to manage and update all my Let's Encrypt TLS certificates. This way I have one place that has API access to whichever DNS provider I am using, and can have any number of strict security checks in place.
Steps
There are many ways to update your TLS certificates. Pick the route below that is appropriate for you.
WEB UI Option
This option is the easiest/safest to use, and what I reckon most people will do, but it requires a lot of manual clicking around.
Acquire your TLS certificates in whichever manner is appropriate to you.
Copy/paste the contents of the certificates into the web UI by clicking on your node, clicking on System -> Certificates, and then clicking the button labelled Upload Custom Certificate.
Manual CLI Option
This option is appropriate if you want to use some sort of BASH script on your server to automatically pull down and update the certificate files.
Acquire your TLS certificates in whichever manner is appropriate to you.
For this you just want the "combined" or "fullchain" certificate (site certificate and certificate-authority certificate one file), and the private key.
SSH into your proxmox server and replace the contents of these files:
- /etc/pve/local/pveproxy-ssl.pem - your combined certificate file.
- /etc/pve/local/pveproxy-ssl.key - your private key.
/etc/pve/local is a node specific symlink to /etc/pve/nodes/{NODENAME}.
After having done that, you need to restart the proxy service for the certificates to be put into use. You can do this by running:
sudo pveproxy restart
That's it! Your new certificates should now be in place and being used.
API Option
Apparently you can use the API to upload custom certificates, but I haven't tried/documented this yet. However, it may be worht looking into for automation.
Warning - Other Certificate Paths
When I initially did this, I first found and replaced the certificates at:
- /etc/pve/nodes/{NODE NAME}/pve-ssl.pem
- /etc/pve/nodes/{NODE NAME}/pve-ssl.key
Do not do this! It will look like it works initially, but will break other things such as making SPICE connections to your VM guests, which took me forever to diagnose and fix.
Debugging - Spice No Longer Working
If you find that your SPICE connections are not working, then you might have made the same mistake I did with updating the wrong certificate files. For me, all I had to do was have Proxmox regenerate its self-signed certificates using the commands below, before then stopping and starting the guest VM, before then trying to make the SPICE connection.
#!/bin/bash
# make sure your hostname is set correctly in both /etc/hostname, and
# by running the hostname command.
# Also make sure the domain is correct in /etc/resolv.conf "search"
# remove any existing certs
rm /etc/pve/pve-root-ca.pem
rm /etc/pve/priv/pve-root-ca.key
rm /etc/pve/nodes/proxmox1/pve-ssl.pem
rm /etc/pve/nodes/proxmox1/pve-ssl.key
# Run the generation command
pvecm updatecerts -f
# Restart the proxy service
sudo pveproxy restart
References
First published: 26th March 2024
