Using acme.sh on the proxmox host to generate Letsencrypt certificates
With this we show how to use acme.sh instead of the original Letsencrypt interface.
Acme.sh is just a Bash script that can run on pretty much any *nix environment.
It is quite simple but also quite powerfull.
In this guide I will use the cheap and good Dynu service to configure a domain.
Using the DNS allows you to completely bypass the need to point the port 80 of the domain to the machine.
As a matter of fact, there is absolutely ZERO NETWORK configuration needed to generate the certificate.
All you need is curl/wget and outbound internet connection.
The magic happens at the DNS side and you receive the certificate ready to use.
There are many other DNS providers supported (Goddady, etc).
This may also solve the Armageddon Warnings the Browsers show for self-signed certificates.
Just need to make sure the certificate domain name points to the correct IP on the local network (could add to router DNS).
If you want to use your DNS provider, you will need it to have your domain registered with them, obviouosly.
You may also need to add the subdomain to their DNS records. On Dynu I just add it as a Dynamic DNS entry.
Your DNs provider should also be supported by acme.sh, or you will need to create a DNS file for your system's API.
There are a lot of supported providers though, should not happen easily.
ssh into proxmox host (change IP address)
We will use git
, install it
apt-get update
apt-get install git
lets create a work folder
cd /root
mkdir workfolder
cd workfolder
download acme.sh
with git
git clone 'https://github.com/Neilpang/acme.sh.git'
cd acme.sh
Install with account (change email address)
./acme.sh --install --accountemail "[email protected]"
If all went fine it was installed to /root/.acme.sh
and it has also set a crontab job.
List crontab to check
# crontab -l
24 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
At this point acme.sh is fully operational and can be used in any mode of operation.
Go to the acme.sh
installation folder
cd /root/.acme.sh
Edit the account.conf
file and add your Dynu credentials
nano account.conf
# vi account.conf # use vi if your prefer
You need to have an API subscription with Dynu and then generate a ClentId / Secret.
The account.conf will look something like this:
ACCOUNT_EMAIL='[email protected]'
Dynu_ClientId='82637c92-9de7-92fb-2314-2fd378645092'
Dynu_Secret='dfkj328GBs1DSf09ma0sdf9GSD023ds'
If all info is correct, you can then use the Dynu API with acme.sh to generate the certificates.
We will use the default acme.sh
folder to generate and then a second call to install the certs.
- This will have a 120s wait for the DNS to change and apply
- One of the good benefits of Dynu is that they hav 90s/120s TTL
To issue a certificate through Dynu you can use
./acme.sh --debug --issue --dns dns_dynu -d my.sub.domain.net
If you want to test using the stage server first, just add --test
./acme.sh --debug --issue --dns dns_dynu -d my.sub.domain.net --test
But then you will need to use --force
to ovewrite the test cert
./acme.sh --debug --issue --dns dns_dynu -d my.sub.domain.net --force
If all went fine and you have valid certificates, you can install them on the PVE interface.
Please change the subdomain
./acme.sh --debug --installcert -d my.sub.domain.net \
--keypath /etc/pve/local/pveproxy-ssl.key \
--fullchainpath /etc/pve/local/pveproxy-ssl.pem \
--reloadcmd "systemctl restart pveproxy"
In Single-line
./acme.sh --debug --installcert -d my.sub.domain.net --keypath /etc/pve/local/pveproxy-ssl.key --fullchainpath /etc/pve/local/pveproxy-ssl.pem --reloadcmd "systemctl restart pveproxy"
You may need to tell your router/gateway to point the domain the to LOCAL IP instead of the internet IP so you can use the domain to access proxmox locally.
Or else you can edit you /etc/hosts
or C:\Windows\system32\etc\hosts
file for a local config.
A host config would look like: IP <space> domain
10.0.1.210 pve-node2.mydomain.net
Never used the WebGUI for this. Seems simple enough with @adcurtin 's answer.