Proxmox Install SSL/TLS Certificates
Proxmox Virtual Environment (Proxmox VE) is an open-source server virtualization platform based on QEMU/KVM and LXC containers. It allows you to manage virtual machines and containers efficiently.
By default, Proxmox uses self-signed SSL certificates to encrypt the web interface. However, self-signed certificates do not provide valid identity assurance and are flagged as insecure by web browsers. To securely access the Proxmox web interface from remote clients and avoid browser warnings, you need to install a valid SSL certificate issued by a trusted Certificate Authority (CA) on Proxmox.
In this comprehensive guide on how to install an SSL certificate on Proxmox, we will walk you through the entire process of procuring an SSL certificate suitable for Proxmox and installing it.
Prerequisites
Before you begin with the SSL installation process, make sure that:
- You have administrative access to the Proxmox VE host.
- The Proxmox web interface is accessible over HTTPS on port 8006.
- You have registered a valid domain name for the Proxmox host and have control over its DNS records.
- The firewall allows HTTPS traffic on port 8006.
Step-by-Step In-Depth Guide on How to Install an SSL Certificate on Proxmox
Follow this steps to install an SSL certificate on Proxmox. This guide provides a detailed walkthrough of the process to securely encrypt Proxmox web traffic.
- Determine Type of SSL Certificate Required
- Generate a CSR
- Purchase and Receive SSL Certificate
- Install the SSL Certificate
- Redirect HTTP to HTTPS
- Verify Installation
Step 1: Determine Type of SSL Certificate Required
Proxmox supports standard single domain SSL certificates as well as wildcard certificates. Wildcard certificates are more expensive but can secure unlimited subdomains on your domain.
Some factors to consider when choosing the certificate type:
- Number of Subdomains: If you only need to secure the main proxmox domain name (e.g. proxmox.yourdomain.com), a single domain certificate is sufficient. For securing unlimited subdomains, use a wildcard certificate.
- Number of Nodes: If you have a multi-node Proxmox cluster, you need either multiple single domain certificates or a single wildcard certificate valid for the main domain.
- Validity Period: Subscription-based certificates minimize the administrative overhead of renewals by auto-renewing each year. But you pay a higher yearly cost. Perpetual certificates have a longer validity (2-3 years) but need manual renewal.
- Budget: Wildcard certificates cost more than single domain certificates. But you can get SSL certificates for very affordable prices from SSL resellers.
Once you decide the SSL certificate type, proceed to the next step.
Step 2: Generate a CSR
To obtain an SSL certificate for Proxmox, you need to generate a Certificate Signing Request (CSR). The CSR contains information about your organization and key details about the Proxmox server.
Follow these steps to generate a CSR on your Proxmox VE host:
- Access the Proxmox shell by opening an SSH session or through the web-based terminal.
- Switch to the root user:
su -
- Go to the directory where CSR will be created:
cd /etc/pve/nodes/<node_name>/
- Generate a 2048-bit private key:
openssl genrsa -out proxmox.key 2048
- Next, generate the CSR using the following command:
openssl req -new -key proxmox.key -out proxmox.csr
- You will be prompted to enter details like organization name, domain name, locality, etc. Provide accurate information.
- Finally, verify the contents of CSR:
openssl req -text -noout -in proxmox.csr
- Copy the CSR to submit it to the SSL provider.
Note: The CSR generation process will differ slightly if you are using an external tool or the SSL provider’s CSR generator. But the required information input is the same.
Step 3: Purchase and Receive SSL Certificate
Once you have the CSR ready, it’s time to purchase the SSL certificate. Here are the steps:
- Determine your preferred Certification Authority (CA). We recommend Comodo, DigiCert, Sectigo, and GeoTrust.
- Purchase the certificate type you decided on: single domain or wildcard. The CSR is required during the purchase process.
- If the CA requires domain ownership to be validated, follow their instructions to verify control over your domain.
After purchase, you will receive an email with the SSL certificate files after some time. The delay depends on whether domain validation is required for the certificate type purchased.
Step 4: Install the SSL Certificate
Once you receive the SSL certificate from the CA, it needs to be installed on the Proxmox host. Follow these steps:
- Extract and copy the following SSL certificate files to the Proxmox node:
- Full Chain file (named like fullchain.pem or bundle.crt): Contains the end-entity (your domain) certificate + intermediate certificates in PEM format.
- Private Key file (yourdomain.key): The private key created while generating the CSR.
- Transfer the full chain file and private key to the Proxmox node:
elixir
scp fullchain.pem root@proxmox_IP:/etc/pve/nodes/node_name/pveproxy-ssl.pem
scp yourdomain.key root@proxmox_IP:/etc/pve/nodes/node_name/pveproxy-ssl.key
- SSH into the Proxmox node and set proper permissions on the keys:
chmod 600 /etc/pve/nodes/node_name/pveproxy-ssl.key
- Edit the main Proxmox configuration file /etc/pve/local/pveproxy-ssl.cfg and add the following lines:
ssl-cert=/etc/pve/nodes/node_name/pveproxy-ssl.pem
ssl-key=/etc/pve/nodes/node_name/pveproxy-ssl.key
- Finally, restart the Proxmox proxy service:
systemctl restart pveproxy
That’s it! The SSL certificate is now active on your Proxmox virtualization platform.
Step 5: Redirect HTTP to HTTPS
Since Proxmox allows accessing the web interface via plain HTTP on port 8006, it is recommended to redirect all HTTP traffic to HTTPS to ensure encryption.
To redirect HTTP to HTTPS in Proxmox:
Edit /etc/pve/nodes/node_name/pveproxy.cfg
Under the listen section, modify it to look like:
listen:
: 127.0.0.1:8006
: IP:8006
ssl: 'on'
proto: https
- Save changes and restart pveproxy:
systemctl restart pveproxy
Now when you try accessing Proxmox on HTTP, it will automatically redirect to the HTTPS address.
Step 6: Verify Installation
Once the SSL certificate is installed, verify that it is working correctly:
- Open the Proxmox web UI in a web browser at https://your-proxmox-domain:8006
- Check for any browser warnings or errors. The website should load over HTTPS without any issues.
- Click the lock icon in the address bar and inspect the certificate details. Verify your domain name, issued to, and expiry date values.
- Use the openssl s_client command to connect to check certificate details:
openssl s_client -connect your-proxmox-domain:8006
- Use online SSL test tools to analyze the TLS encryption strength and confirm chain of trust.
If any issues crop up, recheck the certificate file paths, permissions, and pveproxy configuration.
Renewing the SSL Certificate
The SSL certificate will expire after the validity period, requiring renewal.
For subscription certificates, renewal is automatically done by the CA. But you may need to re-install the renewed certificate files.
For perpetual certificates, you need to manually renew the certificate before expiry:
- Generate and submit a fresh CSR following steps 1-4.
- Download and install the renewed certificate issued by CA.
- Restart Proxmox proxy to load the new certificate.
Set calendar reminders ahead of expiration to ensure renewal is smooth and on time.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
