Proxmox SSL Delete Edit

Reasons for doing it this way

PVE has issues creating the CSR for IP addresses

• https://forum.proxmox.com/threads/pve-acme-client-generating-bad-csr-for-ip-addresses.126209/
• https://bugzilla.proxmox.com/show_bug.cgi?id=4687

TOC:

• Prerequisite
• Install-process
• Remove pve configured acme

Prerequisite

• install your custom CA root certificate
• dns entries for domains
• update firewall rules

Install process

• Update system and install acme.sh

  • apt update;
    apt upgrade;
    apt install acme.sh;

• Request a certificate

  •   acme.sh --home /etc/acme.sh \
      --issue --standalone \
      --domain pve01.lair.lan,10.193.141.15 \
      --ca-bundle /usr/local/share/ca-certificates/lairlan-ca/rootCA.crt \
      --server https://ca.lair.lan/acme/lairlan/directory
      --days 6

• Install certificate for use with proxmox

  •   /usr/bin/acme.sh --home /etc/acme.sh \
      --installcert \
      --domain pve01.lair.lan \
      --certpath /etc/pve/local/pveproxy-ssl.pem \
      --keypath /etc/pve/local/pveproxy-ssl.key  \
      --capath  /etc/pve/local/pveproxy-ssl.pem  \
      --reloadcmd  "systemctl restart pveproxy"

• Install systemd unit for updating certificate

  • cat > /etc/systemd/system/acme.sh.service << EOF
    # /etc/systemd/system/acme.sh.service
    [Unit]
    Description=Renew certificates acquired via acme.sh
    After=network.target network-online.target nss-lookup.target
    Wants=network-online.target nss-lookup.target
    Documentation=https://github.com/acmesh-official/acme.sh/wiki
    
    [Service]
    # If the version of systemd is 240 or above,  then uncommenting Type=simple and commenting out Type=exec
    #Type=exec
    Type=simple
    # The --home argument should be the location of the acme.sh configuration directory.
    ExecStart=/usr/bin/acme.sh --cron --home /etc/acme.sh --log /etc/acme.sh/acme.log --days 6
    # acme.sh returns 2 when renewal is skipped (i.e. certs up to date)
    SuccessExitStatus=0 2
    Restart=on-failure
    
    # lock down system access
    # prohibit any operating system and configuration modification
    ProtectSystem=strict
    # create separate, new (and empty) /tmp and /var/tmp filesystems
    PrivateTmp=true
    # make /home directories inaccessible
    ProtectHome=true
    # turns off access to physical devices (/dev/...)
    PrivateDevices=true
    # make kernel settings (procfs and sysfs) read-only
    ProtectKernelTunables=true
    # make cgroups /sys/fs/cgroup read-only
    ProtectControlGroups=true
    
    # allow writing of acme directory
    ReadWritePaths=/etc/acme.sh/
    ReadWritePaths=/etc/pve/local/
    # depending on log and entrypoint configuration, you may need to allow writing to other paths, too
    EOF

• Install systemd timer to run daily

  • cat > /etc/systemd/system/acme.sh.timer << EOF
    # /etc/systemd/system/acme.sh.timer
    [Unit]
    Description=Run acme.sh daily
    
    [Timer]
    OnCalendar=daily
    RandomizedDelaySec=5m
    Persistent=true
    
    [Install]
    WantedBy=timers.target
    EOF

• Reload systemd
  • systemctl daemon-reload
• Enable systemd timer
  • systemctl enable --now acme.sh.timer

Remove pve configured acme

How to properly remove acme certs and account

• Revoke the issued cert with the CA
  • pvenode acme cert revoke
• Deactivate the account with the CA
  • pvenode acme account deactivate
• Remove the acme line in /etc/pve/local/config (couldn’t find a proper command to do it)
  • nano /etc/pve/local/config