-
-
-
- Austria (27)
- General (16)
- HowTo (122)
- IT Security (129)
- Linux (127)
- Networking (65)
- Other (3)
-
- CDemu - a free, gpl cd/dvd-rom device emulator for linux
- heatpumpMonitor - Monitoring a Stiebel Eltron LWZ
- ignis backup tool - the heat-strengthened backup tool
-
- December 2021 (2)
- September 2019 (1)
- May 2019 (1)
- April 2019 (1)
- January 2019 (1)
- October 2018 (1)
- August 2018 (1)
- February 2018 (1)
- September 2017 (1)
- August 2017 (2)
- May 2017 (1)
- April 2017 (1)
- February 2017 (1)
- January 2017 (2)
- December 2016 (1)
- November 2016 (2)
- October 2016 (1)
- September 2016 (1)
- August 2016 (1)
- July 2016 (2)
- April 2016 (1)
- March 2016 (3)
- February 2016 (4)
- January 2016 (2)
- December 2015 (2)
- November 2015 (2)
- September 2015 (2)
- July 2015 (5)
- June 2015 (4)
- May 2015 (2)
- February 2015 (1)
- January 2015 (4)
- December 2014 (1)
- November 2014 (5)
- October 2014 (4)
- September 2014 (1)
- August 2014 (4)
- July 2014 (3)
- June 2014 (5)
- May 2014 (5)
- April 2014 (1)
- March 2014 (2)
- February 2014 (3)
- January 2014 (5)
- December 2013 (2)
- November 2013 (3)
- September 2013 (3)
- August 2013 (2)
- May 2013 (4)
- April 2013 (1)
- March 2013 (1)
- February 2013 (3)
- December 2012 (3)
- November 2012 (3)
- October 2012 (1)
- September 2012 (2)
- June 2012 (1)
- May 2012 (1)
- April 2012 (1)
- March 2012 (1)
- February 2012 (1)
- January 2012 (1)
- December 2011 (4)
- November 2011 (1)
- August 2011 (1)
- March 2011 (1)
- October 2010 (1)
- May 2010 (3)
- January 2010 (1)
- September 2009 (1)
- August 2009 (5)
- July 2009 (5)
- June 2009 (4)
- May 2009 (1)
- April 2009 (1)
- January 2009 (1)
- December 2008 (6)
- November 2008 (6)
- October 2008 (2)
- September 2008 (11)
- August 2008 (4)
- July 2008 (7)
- June 2008 (2)
- May 2008 (7)
- April 2008 (5)
- March 2008 (9)
- February 2008 (15)
- January 2008 (11)
- December 2007 (3)
Setup Let’s encrypt TLS certificate for Proxmox [Update]
February 21, 2016
The graphical interface of Proxmox runs on port 8006 and uses HTTPS. By default this is a self signed certificate, which is a problem if you login in from a client the first time. In this case you’re not sure if there is no MitM attack going on. But there is a solution for this by using Let’s encrypt.
First you need to install git
apt-get install git
download the client software
cd /root
git clone https://github.com/letsencrypt/letsencrypt
and now you need to “patch” it as with running containers the check for a free port 80 most likely fails as a container with a running a web server is quite common. Open this file /root/letsencrypt/letsencrypt/plugins/util.py with an editor and place
return False
as first command in the already_listening method. Make sure that it is aligned with the line above and below as Python requires that. It should look this:
ps: If you started to read this article after calling ./letsencrypt-auto the first time you also need to patch following file the same way.
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/util.py
[Update] In the newer version the client is called certbot and so the path got changed to
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/plugins/util.py
[/Update]
Now make sure that Port 80 is not firewalled and therefore reachable from the Internet and call following command:
cd /root/letsencrypt/
./letsencrypt-auto certonly --standalone --standalone-supported-challenges http-01 -d <dnsname>
Replace with the <dnsname> with the dns name you use to connect to the management Web GUI. If all worked, you should see following:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live//fullchain.pem. Your cert
will expire on 2016-05-21. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
....
Now only saving the old certificate with these commands …
mv /etc/pve/pve-root-ca.pem /etc/pve/pve-root-ca.pem.orig
mv /etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.key.orig
mv /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.pem.orig
and copying the new ones to the correct place …
cp /etc/letsencrypt/live/<hostname>/chain.pem /etc/pve/pve-root-ca.pem
cp /etc/letsencrypt/live/<hostname>/privkey.pem /etc/pve/local/pve-ssl.key
cp /etc/letsencrypt/live/<hostname>/cert.pem /etc/pve/local/pve-ssl.pem
followed by a restart of the processes:
service pveproxy restart
service pvedaemon restart
is open.
The last 5 commands are needed, because the special file system Proxmox uses for /etc/pve does not support symlinks. You need to execute that 5 commands after each renewal. The option for this is “renew”. You can/should automate the renew process.
9 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress
Entries and comments feeds.
Valid XHTML and CSS.
41 queries. 0.063 seconds.
Thanks for this, it worked perfectly.
You have an issue though – in the cp /etc/let… lines you have your own domain name blackstar.penz.name rather than a note to change the details to the end user’s domain name.
Best regards
Greg
Comment by Greg Fenton — March 15, 2016 #
As a follow on, I use this as my cron job to renew the certificate automatically every 3 months:
0 0 1 JAN,APR,JUL,OCT * cd /root/letsencrypt; ./letsencrypt-auto renew --agree-tos [email protected]Comment by Greg Fenton — March 15, 2016 #
thx, changed that.
Comment by robert — March 16, 2016 #
GReat !
thx
Comment by Henri — May 21, 2016 #
Hey! I have a problem…
View this:
WARNING: unable to check for updates.
Creating virtual environment…
Installing Python packages…
Traceback (most recent call last):
File “/tmp/tmp.1FK3d4Wlgo/pipstrap.py”, line 146, in
exit(main())
File “/tmp/tmp.1FK3d4Wlgo/pipstrap.py”, line 130, in main
for url, digest in PACKAGES]
File “/tmp/tmp.1FK3d4Wlgo/pipstrap.py”, line 112, in hashed_download
response = opener().open(url)
File “/usr/lib/python2.7/urllib2.py”, line 431, in open
response = self._open(req, data)
File “/usr/lib/python2.7/urllib2.py”, line 449, in _open
‘_open’, req)
File “/usr/lib/python2.7/urllib2.py”, line 409, in _call_chain
result = func(*args)
File “/usr/lib/python2.7/urllib2.py”, line 1240, in https_open
context=self._context)
File “/usr/lib/python2.7/urllib2.py”, line 1197, in do_open
raise URLError(err)
urllib2.URLError:
root@pvenefitel:~/letsencrypt#
I do not understand the error, except it comes from python. Any idea how to set this problem?
Thanks!
Comment by Paul — September 11, 2016 #
urllib2 is a library for downloading stuff, so I seems to be fair to guess that something at downloading did not work. Are you using a http proxy, blocking access to internet on that server or something that changes the traffic? An other possibility is that there is a temporary problem with the let’s encrypt server.
Comment by robert — September 11, 2016 #
I do not use a proxy, but I’m on my ADSL (personal connection).
What ports to open? TCP? UDP?
Thanks!
Comment by Paul — September 11, 2016 #
don’t know .. just look with tcpdump if a connection is attempted and not working.
Comment by robert — September 11, 2016 #
I’m looking at, and it is possible that it comes to IPv6
Comment by Paul — September 11, 2016 #