How to Install an SSL Certificate on Proxmox Virtual Environment?

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
Install SSL Cert on Proxmox

What is Proxmox?

Proxmox Virtual Environment (Proxmox VE) is the open source program for virtualization based on QEMU/KVM and LXC options.

It allows the administrators to monitor and control the running VMs and containers without direct access to the physical infrastructure, making it suitable for large scale data centers, as well as smaller networks.

The Proxmox VE bitmap has inbuilt WebGUI that enables secured management of the VMs, storage, networks and clusters with features such as HA, backup/restore and smooth live migration between nodes.

Prerequisites

Here are some things to check before you start the process of installing SSL:

  • You have root level access to the Proxmox VE host where most of the work is to be carried out.
  • The command and control center, Proxmox is available over secure connection using HTTPS on Port 8006.
  • You have set up a domain pointing to the IP of the Proxmox host and can update its DNS records should need arise.
  • The firewall permits HTTPS on port 8006 but blocks all other traffic coming from the dangerous sites.

Steps to Install an SSL Certificate on Proxmox

These are the procedures to follow to successfully install an SSL certificate on Proxmox. This tutorial will guide you step by step on how to safely and effectively encrypt web traffic in the Proxmox environment.

Step 1: Determine Type of SSL Certificate Required

Proxmox supports traditional single domain SSL certificates which include the single domain name itself while it supports wildcard certificates, too. Wildcard certificates are also relatively more costly compared to the other types but they allow you to have an unlimited number of subdomains under your domain.

The following are aspects that one would consider when electing the type of certificate to issue:

Number of Subdomains: In case you require an SSL for the primary Proxmox domain name only (for instance, if the web address is proxmox.yourdomain.com), a single domain SSL certificate will suffice. For achieving unlimited subdomains, then it is recommended to go for a wildcard SSL certificate.

Number of Nodes: In a multi-node Proxmox cluster, it is possible to use either multiple certificates for single domains, or a single certificate for the main domain – a Wildcard one.

Validity Period: Annual subscription makes any renewal procedures easy to handle since the certificates renew automatically each year. However, you make higher yearly installments in return. While perpetual certificates belie validity of between two and three years, they require manual renewal.

Budget: As for the price, wildcard SSL certificates are more expensive compared with the single domain SSL certificates. However, you can obtain SSL certificates at very low prices from SSL resellers to kick start the process.

Once you decide on the SSL certificate type, proceed to the next step.

Step 2: Generate a CSR

To get an SSL certificate in Proxmox, one has to create a CSR known as Certificate Signing Request. The CSR also provides information on your organization and several essential details of the Proxmox server.

You can use our automated CSR Generation Tool or do it manually.

Follow these steps to generate a CSR on your Proxmox VE host:

The Proxmox shell can be reached either through establishing an SSH connection or by means of the web-based console.

Switch to the root user

su -

Go to the directory where CSR will be created

cd /etc/pve/nodes/<node_name>/

Generate a 2048-bit private key

openssl genrsa -out proxmox.key 2048

Generate the CSR using the following command:

openssl req -new -key proxmox.key -out proxmox.csr

Enter the details like organization name, domain name, locality, etc. Provide accurate information.

Verify the contents of CSR

openssl req -text -noout -in proxmox.csr

Copy the CSR to submit it to the SSL provider

Step 3: Receive Your SSL Certificate

When the CSR is created, it is now time to procure an SSL certificate. Here are the steps:

Once the order is complete, customers will be provided the SSL certificate files either via email or FTP. The delay involves additional checks if either domain validation is mandatory or the type of purchased certificate requires it.

Step 4: Install the SSL Certificate

Upon obtaining the certificate from the CA, it has to be installed on the SSL, which is the Proxmox server. Follow these steps:

Extract and copy the following SSL certificate files to the Proxmox node:

Full Chain file (named like fullchain.pem or bundle.crt): Pem Formatted is an end-entity (your domain) certificate + one or more intermediate certificates.

Private Key file (yourdomain. key): A key that was generated when creating a CSR record, used for decrypting code that is sent to the server by the client.

Copy over the full chain file and private key to the Proxmox node.

scp fullchain.pem root@proxmox_IP:/etc/pve/nodes/node_name/pveproxy-ssl.pem
scp yourdomain.key root@proxmox_IP:/etc/pve/nodes/node_name/pveproxy-ssl.key

Log into the Proxmox node via SSH and then ensure the right permissions are set on keys.

chmod 600 /etc/pve/nodes/node_name/pveproxy-ssl.key

Modify the primary configuration file of the Proxmox program, located at /etc/pve/local/pveproxy-ssl. and then, append the following lines of code:

ssl-cert=/etc/pve/nodes/node_name/pveproxy-ssl.pem
ssl-key=/etc/pve/nodes/node_name/pveproxy-ssl.key

Force the proxy service of Proxmox to restart

systemctl restart pveproxy

The SSL certificate is now active on your Proxmox virtualization platform.

Step 5: Redirect HTTP to HTTPS

Port 8006 is used to access the web interface of Proxmox through plain HTTP but it is advisable to make changes in the config file and have all the HTTP streams redirect to HTTPS.

To redirect HTTP to HTTPS in Proxmox:

Edit /etc/pve/nodes/node_name/pveproxy.cfg.

During the implementation of the listen section, change it to appear as:

listen:

            : 127.0.0.1:8006

            : IP:8006

                        ssl: 'on'

                        proto: https

After that save all changes and restart pveproxy

systemctl restart pveproxy

Step 6: Verify Installation

Open the Proxmox web UI in a web browser, we will type the command: https://your-proxmox-domain:8006

Search for any alert or error message that the browser might be displaying. The website should be opened with HTTPS without any problem.

Right-click on the lock icon in the address bar, to view the certificate information. Check and approve your domain name, issued to, expiry date values.

To connect and check the details of the certificate, use the openssl s_client command line.

openssl s_client -connect your-proxmox-domain:8006

Utilize online SSL test tools to evaluate the strength of TLS encryption and to verify the chain of trust.

Conclusion

Secure your website, files, and clients with one of the finest portfolios of SSL certificates. Whether you are looking for a basic single domain, a wildcard, or a multi-domain certificate, Certera will have the right type of solution for you.

SSL Certificate Installation Service

Get our Affordable SSL Installation Service and Let our Experts Configure or Install your SSL Cert to Web Server.

SSL/TLS Certificates Installation @ $29.99